Onyx, a decentralized finance (DeFi) protocol, received community approval to relaunch its financial network, Onyx Core, following a $3.8 million hack on September 27.
The hack exploited a previously known security vulnerability, resulting in an immediate proposal (OIP-46) for a protocol and product overhaul, including shutting down the Ethereum-based lending marketplace.
The Onyx Enhancement Proposal (OIP-46), titled “Relaunch Onyx Core,” was presented the same day as the hack. He proposes to close the lending market and repay lenders in full. On September 29, the proposal received unanimous support from the community, setting the relaunch for October 1.
As part of the relaunch, the Onyx team will release a revised whitepaper and focus on running Onyx Core as a closed lending protocol, which will support the encapsulation of NFTs, real-world assets and crypto assets. The move aims to prevent future exploits, such as the one that occurred via a vulnerability in the NFTLiquidation contract, which was previously used in an attack in October 2023.
This restructuring comes at a time when crypto hacks are on the rise, with centralized exchanges the main targets, accounting for losses exceeding $2.1 billion in 2024.
According to security firm PeckShield, Onyx hackers drained 4.1 million virtual dollars (VUSD), 7.35 million Onyxcoin (XCN), 0.23 wrapped Bitcoin (WBTC), $5,000 worth of stablecoin DAI and $50,000 worth of stablecoin USDT, for a total of over $3.8 million. in losses.
The vulnerability that led to this exploit exists in the Compound Finance version 2 codebase, which is widely used by various DeFi protocols. This same flaw was exploited in an attack on Hundred Finance in April 2023 and in the first attack on Onyx in October 2023.
The vulnerability can be exploited when a DeFi protocol has an “empty market” – a market without liquidity – which typically happens when new markets are launched.
DeFi exploits have become a frequent problem in the Web3 space. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract. Additionally, Bankroll Network suffered a loss of $230,000 due to an attacker exploiting a faulty “buyFor” function.
Hackers often convert stolen tokens to Ether to launder funds through cryptocurrency mixers like Tornado Cash, complicating cybersecurity firms’ tracking efforts.
Crypto hacks have intensified in 2024. In the first quarter alone, $542.7 million was stolen, an increase of 42% compared to the same period in 2023. July was particularly bad, with more than $266 million stolen in 16 attacks, including a theft of $230 million from Indian stock exchanges. WazirX, the second biggest hack of the year.
