Common Vulnerability Causes $2.1M Loss for Onyx Protocol

RivanorthRivanorth
2 min read

The decentralized finance (DeFi) sector was hit by the same vulnerability once again, read-only reentrancy, when Onyx Protocol, a Compound Finance fork, suffered a $2.1 million loss. This incident, marks yet another entry in a series of attacks leveraging the same vulnerability, that has hit notable names like Midas and many more in the past, with the cumulative losses now exceeding $10 million.

Behind the Breach

The exploit took advantage of a rounding error in the Compound v2 code, which under specific conditions, allows an attacker to manipulate empty markets to drain liquidity from the protocol. In Onyx's case, the vulnerability was triggered following the addition of a lending market for the memecoin PEPE, as per the governance's Proposal 22.

The attacker executed what is known as an 'empty market attack' by taking a flash loan, swapping it for PEPE, and then inflating the price of oPEPE by donating a large amount of PEPE to the pool. This overvaluation was then used as collateral to borrow other assets, ultimately draining the protocol’s liquidity. The profits, amounting to 1164 ETH, were funnelled through an intermediary address before most were deposited into Tornado Cash, with the remainder being distributed to on-chain panhandlers.

Lessons from the Incident

In response to the hack, Onyx Protocol has proposed a compensation plan to refund victims by selling native tokens from the treasury and pausing DAO contributors' salaries. However, this plan risks triggering a death spiral for the XCN token and misaligning team incentives.

When forking other projects it's vital to review the broader attack landscape as vulnerabilities that are not exploitable in the original project, might become exploitable due to the different market conditions the fork operates in.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit https://rivanorth.com/ to find out more.

You build the future. We help you secure it.

0
Subscribe to my newsletter

Read articles from Rivanorth directly inside your inbox. Subscribe to the newsletter, and don't miss out.

EthereumauditingSecuritycybersecuritySmart Contracts

Written by

Rivanorth
Rivanorth

State of the art Cybersecurity services, always a step ahead. You build the future. We help you secure it.