Onyx Protocol Exploited Again

Onyx, a fork of DeFi lending protocol Compound Finance, suffered a $3.2 million loss on Thursday, marking its second smart contract exploit in a year.

Details of the Attack

Security firm Fuzzland reported that a malicious contract was deployed to Onyx at 11:57 a.m., just five minutes before the attack took place. Rival firms PeckShield and Cyvers also observed unusual transactions on OnyxDAO prior to the hack.

Cyvers noted that most losses were in VUSD, a U.S. dollar-denominated stablecoin. The suspected attacker holds 521 ETH valued at approximately $1.36 million and has been hesitant to convert the stolen assets.

PeckShield estimates the loss to be around $3.8 million. The hacker exploited a known bug in the forked Compound V2 code, siphoning off VUSD, DAI, tether stablecoins, and other cryptocurrencies.

PeckShield commented, “Another issue that facilitates the hack is related to the NFTLiquidation contract, which does not properly validate untrusted user input, allowing the exploitation to inflate self-liquidation reward amounts.”

Previous Attack

Previously, in October, Onyx fell victim to a $2.1 million hack due to an integer rounding vulnerability and flash loan attack.

Fuzzland founder Chaofan Shou remarked, “Last year’s attack stemmed from vulnerabilities introduced when forking compromised Compound code. This time, they introduced vulnerabilities themselves through errors in their logic.”