TL;DR
- Onyx Protocol, a fork of Compound Finance, suffered a cyber attack that resulted in a loss of $3.8 million.
- The attackers exploited a known precision issue in the protocol’s code, which allowed for the swapping of stolen funds.
- This is not the first attack on the protocol, as $2.1 million had already been lost in October 2023 due to a rounding error.
Onyx Protocol, a fork of Compound Finance, has been the victim of a cyber attack that resulted in the loss of $3.8 million, adding to the list of vulnerable DeFi platforms.
The incident occurred after the attackers exploited a known precision issue in the protocol’s code, which had already been exploited in other similar forks. According to reports from the security firm PeckShield, a series of suspicious transactions in OnyxDAO led to the detection of the attack, allowing hackers to perform swaps of the stolen funds.
Hi @OnyxDAO, you may want to take a look pic.twitter.com/fcU6fHP4jr
— PeckShield Inc. (@peckshield) September 26, 2024
Most of the losses were recorded in VUSD, although the attackers also stole assets such as XCN, DAI, WBTC, and USDT. A subsequent analysis by the security firm Cyvers corroborated the loss amount, which stood at approximately $3.2 million at the time of the attack. Apparently, the hacker held a balance of 521 ETH, equivalent to $1.36 million, while other digital assets had not yet been swapped.
🚨ALERT🚨Our system has detected suspicious transaction involving @OnyxDAO on #ETH chain!
Total loss is around $3.2M. Most of the loss are in $VUSD. Attacker currently holds 521 $ETH $1.36M. Rest of the digital assets are not swapped yet!
More info will follow! Stay tuned!… pic.twitter.com/CwGwRgZyNh
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 26, 2024
The Vulnerability of Onyx Protocol Had Already Been Exploited in Other Protocols
This hack is far from being an isolated incident. Onyx Protocol had already suffered an attack in October 2023, where $2.1 million was lost due to a rounding error in its code. Such vulnerabilities have become a concerning pattern within the DeFi ecosystem, as many developers choose to build on existing codes instead of developing new functionalities from scratch. If the base code presents security flaws, forks may inherit these weaknesses.
Industry experts warn that the lack of an active community to oversee and maintain code security can lead to critical situations, as evidenced by recent attacks. Security firms like Halborn have pointed out that the vulnerability of Onyx Protocol was known and had already been exploited in other protocols that also use Compound Finance code. Developers have been advised that when launching new markets, they should implement strategies to ensure that the total supply of assets does not drop to zero, which would make the protocol vulnerable.
