DeFi Protocol Onyx Loses $3.8 Million in Exploit
Key Takeaways
- Reportedly, a weakness in the NFT liquidation contract mainly contributed to the breach
- The hacker exploited including 4.1 million VUSD, 7.35 million XCN, 0.23 WBTC, $5,000 worth of Dai stablecoin, and $50,000 in USDT stablecoin, totaling more than $3.8 million.
Leading decentralized finance (DeFi) protocol Onyx suffered a major exploit, resulting in a loss of $3.8 million, as per blockchain security platform PeckShield. The attack leveraged a known vulnerability in the Compound Finance v2 codebase.
In November 2023, Onyx Protocol lost roughly $2.1 million when the hacker exploited the same known bug, a rounding issue behind the popular CompoundV2 fork. In this latest instance, a weakness in the non-fungible token (NFT) liquidation contract also contributed to the breach, as confirmed by the PeckShield report.
The Onyx team addressed the exploit in a post on X (formerly Twitter) on September 27, acknowledging that the faulty NFT liquidation contract played a central role. “Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol,” the post read, clarifying that the NFT contract flaw was the main culprit rather than the previously known Compound vulnerability.
PeckShield’s analysis revealed that the attacker siphoned off a variety of digital assets, including 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of Dai stablecoin, and $50,000 in USDT stablecoin, totaling more than $3.8 million.
The Compound Finance v2 vulnerability, which affected several DeFi protocols, had been exploited before, including a notable breach of Hundred Finance in April 2023. It primarily targets what is called an “empty market,” or one with no liquidity, which is a situation that usually arises when a new market is launched.
However, this time, Onyx pointed out that while the known flaw in the Compound codebase played a part, the primary issue lay within the NFT liquidation contract. PeckShield’s report backed this, stating that the NFT contract failed to properly validate user input, allowing the attacker to inflate the self-liquidation reward amount.
The latest development comes days after an Immunefi report which revealed that in the third quarter of 2024, crypto hacks and scams amounted to $413 million in losses, which is a significant decrease from Q3 2023, where hackers stole $686 million.