Onyx Protocol Faces Another $3.8 Million Exploit Due to Known Bug
On September 26, the decentralized finance (DeFi) protocol Onyx suffered a significant security breach, resulting in the loss of $3.8 million. This exploit was facilitated by a combination of an old bug in the Compound Finance v2 codebase and a new input validation vulnerability, as confirmed by the blockchain security firm PeckShield.
Details of the Exploit
According to PeckShield’s report, the attacker exploited a vulnerability in the Onyx protocol’s non-fungible token (NFT) liquidation contract. This contract flaw allowed the attacker to manipulate the system and drain funds. The compromised assets included:
- 4.1 million virtual USD (VUSD)
- 7.35 million Onyxcoin (XCN)
- 0.23 Wrapped Bitcoin (WBTC)
- $5,000 worth of Dai (DAI)
- $50,000 worth of USDt (USDT)
Compound Finance v2 Codebase Issue
The vulnerability that led to this exploit is rooted in the Compound Finance v2 codebase, which has been frequently forked and used by various DeFi protocols. This specific bug had previously caused an exploit against Onyx in October 2023 and Hundred Finance in April 2023. The flaw is particularly dangerous in scenarios involving “empty markets,” or markets with no liquidity, which typically occur when new markets are launched.
Onyx Team’s Response
In a statement on September 27, the Onyx team acknowledged the security incident, attributing it to the faulty NFT liquidation contract. They clarified that the primary issue was not the known flaw related to empty markets but rather the NFT liquidation contract’s failure to validate user input properly. This allowed the attacker to inflate the self-liquidation reward amount, facilitating the exploit.
Broader Implications for DeFi Security
This incident highlights the persistent security challenges within the DeFi space. Onyx is not alone in facing such issues. Recently, the liquid staking protocol Bedrock lost over $2 million due to a vulnerability in its uniBTC contract. Similarly, Bankroll Network was drained of $230,000 when an attacker exploited a faulty “buyFor” function to inflate their profits.
Conclusion
The recurring nature of these exploits underscores the importance of rigorous security measures and thorough code audits in the DeFi sector. As DeFi continues to grow, protocols must prioritize security to protect user funds and maintain trust in the decentralized financial ecosystem.
