DeFi Protocol Onyx Loses $3.8 Million in Exploit

Share IT

Key Takeaways

  • Reportedly, a  weakness in the NFT liquidation contract mainly contributed to the breach
  • The hacker exploited including 4.1 million VUSD, 7.35 million XCN, 0.23 WBTC, $5,000 worth of Dai stablecoin, and $50,000 in USDT stablecoin, totaling more than $3.8 million.

Leading decentralized finance (DeFi) protocol Onyx suffered a major exploit, resulting in a loss of $3.8 million, as per blockchain security platform PeckShield. The attack leveraged a known vulnerability in the Compound Finance v2 codebase.

In November 2023, Onyx Protocol lost roughly $2.1 million when the hacker exploited the same known bug, a rounding issue behind the popular CompoundV2 fork. In this latest instance, a weakness in the non-fungible token (NFT) liquidation contract also contributed to the breach, as confirmed by the PeckShield report.

The Onyx team addressed the exploit in a post on X (formerly Twitter) on September 27, acknowledging that the faulty NFT liquidation contract played a central role. โ€œOnyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol,โ€ the post read, clarifying that the NFT contract flaw was the main culprit rather than the previously known Compound vulnerability.

PeckShield’s analysis revealed that the attacker siphoned off a variety of digital assets, including 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of Dai stablecoin, and $50,000 in USDT stablecoin, totaling more than $3.8 million.

The Compound Finance v2 vulnerability, which affected several DeFi protocols, had been exploited before, including a notable breach of Hundred Finance in April 2023. It primarily targets what is called an “empty market,” or one with no liquidity, which is a situation that usually arises when a new market is launched.

However, this time, Onyx pointed out that while the known flaw in the Compound codebase played a part, the primary issue lay within the NFT liquidation contract. PeckShieldโ€™s report backed this, stating that the NFT contract failed to properly validate user input, allowing the attacker to inflate the self-liquidation reward amount.

The latest development comes days after an Immunefi report which revealed that in the third quarter of 2024, crypto hacks and scams amounted to $413 million in losses, which is a significant decrease from Q3 2023, where hackers stole $686 million.

Share IT
Saniya Raahath
Saniya Raahath

Can’t find what you’re looking for? Type below and hit enter!