Onyx was hit with an attack that targeted a known vulnerability for a second time. However, the attack was more complex than the first.
DeFi protocol Onyx fell victim to a $3.8 million exploit on September 26. Cybersecurity firm PeckShield reported the incident, mentioning that the attack targeted a contract known to be faulty. The hacker walked away with 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped bitcoin (WBTC), 5,000 Dai (DAI), and 50,000 Tether (USDT).
“It seems today’s victim @OnyxDAO(w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base,” PeckShield said.” The bug is exploited to leverage a nearly empty market to manipulate the exchange rate and here is the related hack tx.”
Source: PeckShield
This exploit stems from a flawed Compound Finance v2 contract, which many protocols fork. Onyx was first hacked due to the same vulnerability on November 1, 2023. Nonetheless, the vulnerability can only be exploited when it has zero liquidity, which usually means a new contract is deployed.
Onyx agreed the flawed contract was one of the reasons for the hack, providing grounds for the cybercriminal to exploit another contract. It noted that “the primary issue wasn’t an empty market but the NFTLiquidation Contract” while iterating that the XCN Staking and XCN Farming contracts remain unaffected.
PeckShield doubled down on Onyx’s observation, saying, “Another issue that facilitates the hack is related to the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount.”
Onyx Introduces New Proposal
In the aftermath of the attack, Onyx has decided to release a new proposal–OIP-46: Relaunch Onyx Core. While it will bring major changes to the protocol, including terminating its Ethereum-based lending market, the proposal also aims to reimburse users affected by the hack.