- Blockbasis
- Posts
- Onyx Protocol: A $3.8 Million Repeat Exploit
Onyx Protocol: A $3.8 Million Repeat Exploit
Exploring the $3.8 Million Exploit of Onyx Protocol: Lessons in DeFi Security, Market Vulnerabilities, and the Consequences of Ignoring Audit Recommendations
TL;DR
Onyx Protocol suffered yet again a $3.8 million exploit, driven by a familiar vulnerability linked to market conditions. The attacker executed a series of manipulative transactions using a flash loan and targeted the NFTLiquidation contract. Despite past warnings, Onyx's lack of preventive measures highlights ongoing security concerns in the DeFi space.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Onyx Protocol is once again facing significant setbacks after being exploited for $3.8 million due to a vulnerability that had previously affected them last year.
This recurrence emphasizes a troubling pattern: despite past mistakes, the team has seemingly failed to implement effective security measures.
The recent exploit, which targeted various assets, including VUSD, DAI, WBTC, and USDT, underscores the importance of rigorous auditing and risk management, especially when launching new markets.
Instead of evolving and learning from its prior experiences, Onyx appears to be caught in a cycle of oversight, raising serious concerns about its commitment to safeguarding user assets.
In the broader context of DeFi challenges, Onyx’s situation serves as a cautionary tale. It illustrates that neglecting past lessons can lead to repeated failures. While there may still be an opportunity for recovery, the current trust in the platform is undeniably shaken.
In a twist that surprised absolutely no one, Onyx Protocol took the concept of "double or nothing" a bit too literally.
While crypto enthusiasts debated the latest meme coin trends or prepared for upcoming conferences, Cyvers stepped in with an unwelcome update: "Our system has detected suspicious transactions involving Onyx DAO on the ETH chain! Total loss is around $3.8 million."
🚨ALERT🚨Our system has detected suspicious transaction involving @OnyxDAO on #ETH chain!
Total loss is around $3.2M. Most of the loss are in $VUSD. Attacker currently holds 521 $ETH $1.36M. Rest of the digital assets are not swapped yet!
More info will follow! Stay tuned!… x.com/i/web/status/1…
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts)
12:43 PM • Sep 26, 2024
Meanwhile, the Onyx team appeared to be practicing their ostrich impressions, seemingly oblivious to the unfolding crisis.
Four hours after the exploit, they finally emerged from their silence: "Onyx Protocol is aware of unusual activity on our platform and is currently reviewing third-party post-mortem examination data while conducting our own investigation."
Unfortunately, by that point, the digital safe had already been breached, and its assets scattered across the blockchain.
Onyx Protocol is aware of unusual activity on our platform and is currently reviewing third party post mortem examination data while conducting our own investigation.
We will announce further details in due course 📣
— Onyx (@OnyxDAO)
4:06 PM • Sep 26, 2024
As blockchain analysts began piecing together the digital crime scene, they found themselves watching a rerun of "Precision Manipulation: Onyx Edition." The same vulnerability, a different day—underscoring the urgent need for improved security measures within the protocol.
Hacken, stepping in as DeFi's investigative team, laid out the blueprint for the recent attack.
Our cunning hacker, a true aficionado of sequels, relied on a well-worn script:
The process began with a 2,000 ETH flash loan from Balancer. After all, why use personal funds when borrowed capital is available?
Next came the ETH shell game: 1,999.5 ETH was deposited into the oEther contract, while a mere 0.5 ETH was funneled into a malicious contract specifically designed for this exploit.
This custom contract was then used to mint and redeem oETH in minuscule amounts—so small that even a satoshi would seem substantial. We’re talking about 0.00000001 oETH here, illustrating that in DeFi, size isn't always everything.
The hacker repeated this minting and redeeming process 56 times, adhering to the adage: if at first you don’t succeed, try, try, try again.
As the exchange rate began to spiral out of control, it became evident that in DeFi, it’s not the size of the transaction that matters, but the execution.
This precision manipulation attack exploited a vulnerability that has become alarmingly familiar within the Compound V2 ecosystem.
The flaw? A miscalculation in the asset's exchange rate during periods of low liquidity in the market.
It’s as if Onyx left the door wide open, hung a "Free Money" sign, and took an extended vacation.
Exploiter Address: 0x680910cf5Fc9969A25Fd57e7896A14fF1E55F36B
Attack Transaction: 0x46567c731c4f4f7e27c4ce591f0aebdeb2d9ae1038237a0134de7b13e63d8729
Attack Contract: 0xAE7d68b140Ed075E382e0A01d6c67ac675AFa223
But the story doesn't end there! Our resourceful hacker pressed on.
Peckshield, embodying DeFi's Sherlock Holmes, unearthed yet another flaw lurking in Onyx's infrastructure.
The attacker capitalized on a vulnerability within the NFTLiquidation contract, which failed to adequately validate user inputs.
This oversight enabled them to inflate the self-liquidation reward amount, effectively handing them a blank check drawn straight from Onyx’s account.
This revelation highlights not just a single exploit, but a broader issue of security oversight, leaving Onyx vulnerable to even more sophisticated attacks.
The outcome? A veritable feast of stolen assets, as outlined by Peckshield:
4.1M VUSD
7.35M XCN
5K DAI
0.23 WBTC
50K USDT
All told, this amounted to a $3.8 million windfall for our hacker and yet another hard-hitting lesson for Onyx Protocol—one that seems to have been both learned and quickly forgotten.
Speaking of forgetfulness, let’s take a cue from the Pokémon universe: Onix evolves into Steelix, gaining strength and resilience in the process. In stark contrast, Onyx Protocol appears trapped in a relentless cycle of vulnerability, as if it’s intentionally stunted its growth with an Everstone.
No matter how many times it’s battered by high-profile exploits, it seems incapable of adopting new strategies for defense. Right now, it’s less “Rock Throw” and more “Self-Destruct.”
CertiK performed an audit on Onyx back in January 2022, but since then? Crickets. No updates, no follow-ups—just a deafening silence. If there were valuable lessons to be gleaned, they’ve vanished into thin air.
It seems Onyx operates under the illusion that smart contracts are like fine wine that if left untouched, they’ll only improve. Spoiler alert: that’s not how it works.
In a bold move, Onyx opted to gamble by adding a VUSD market through a governance proposal. Because, who needs a thorough audit when introducing something new, right?
Their version of spring cleaning appears to involve shoving existing vulnerabilities under the rug while unfurling a welcome mat for fresh ones.
They didn’t just miss a few crucial steps; they took a high-speed elevator straight to Rekt City, skipping all precautionary measures along the way.
In a realm where “move fast and break things” meets “copy-paste and pray,” one must wonder: is DeFi innovation outpacing rational thought, or is common sense simply on an extended coffee break?
If this narrative feels like a case of déjà vu, you’re certainly not alone.
We’ve traversed this path before, everyone. In our earlier analyses of Onyx's escapades, we made a crucial observation: while Certik performed their audit routine, the true vulnerabilities stem from market conditions, not just the underlying code.
Remember the golden rule for Compound V2 forks? Vacant markets are like a magnet for hackers.
Launching new markets should be approached with the precision of a bomb disposal technician, not with a “yolo and pray” mentality.
Following the Hundred Finance sequel hack, Hexagate shared some insightful advice: “Mint some cTokens, burn them, and ensure the total supply never dips to zero. It’s akin to DeFi’s version of leaving just one cookie in the jar.”
But did Onyx take that advice to heart?
It seems their memory is as short as a goldfish’s, and their capacity to learn is nearly nonexistent.
In the vast arena of DeFi, Onyx has managed to change "once bitten, twice shy" into "twice bitten, still oblivious."
As this latest act comes to a close, one can’t help but wonder: in a space where code sets the rules, who’s writing the guidelines? And more importantly, who’s actually taking the time to understand them?
If you're frustrated by one-sided reporting, our 5-minute newsletter is the missing piece. We sift through 100+ sources to bring you comprehensive, unbiased news—free from political agendas. Stay informed with factual coverage on the topics that matter.