Onyx, a decentralized finance (DeFi) protocol, was exploited for $3.8 million due to a vulnerability in its non-fungible token (NFT) liquidation contract.
According to a report from blockchain security firm PeckShield, the attack used a known bug in the Compound Finance v2 codebase, which was previously exploited against Onyx in November 2023.
In a statement, the Onyx team acknowledged the exploit, stating that the faulty NFT contract was the main cause of the attack.
According to PeckShield, the attacker drained 4.1 million virtual dollars (VUSD), 7.35 million Onyxcoin (XCN), 0.23 wrapped Bitcoin (WBTC), $5,000 worth of DAI stablecoin, and $50,000 worth of stablecoin USDT, totaling over $3.8 million in losses. .
The vulnerability that led to this exploit exists in the Compound Finance version 2 codebase, which is widely used by various DeFi protocols. This same flaw was exploited in an attack on Hundred Finance in April 2023 and in the first attack on Onyx in October 2023.
The vulnerability can be exploited when a DeFi protocol has an “empty market” – a market without liquidity – which typically happens when new markets are launched.
The Onyx team clarified in a post that while compound vulnerability played a role, the root cause was the NFT liquidation contract. PeckShield agreed, noting that the contract failed to properly validate user inputs, allowing the attacker to inflate self-liquidation rewards and drain funds.
DeFi exploits have become a frequent issue in the Web3 space. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract. Additionally, Bankroll Network suffered a loss of $230,000 due to an attacker exploiting a faulty “buyFor” function.
Hackers often convert stolen tokens to Ether to launder funds through cryptocurrency mixers like Tornado Cash, complicating cybersecurity firms’ tracking efforts.
Crypto hacks have intensified in 2024. In the first quarter alone, $542.7 million was stolen, an increase of 42% compared to the same period in 2023. July was particularly bad, with more than $266 million stolen in 16 attacks, including a theft of $230 million from Indian stock exchanges. WazirX, the second biggest hack of the year.
Hacker WazirX attempted to funnel stolen funds, consolidating $57 million worth of ETH to new addresses before July 22.
Most recently, Singapore-based cryptocurrency exchange BingX’s estimated loss following an alleged hack on Friday more than doubled to more than $52 million, following further investigations.