Onyx Protocol Suffers Almost $4M Hack

Onyx Protocol experienced a $3.8 million loss on 26 September, marking another incident in a growing wave of cyber-attacks targeting vulnerabilities in the crypto ecosystem.

These attacks underscore the persistent security challenges facing the industry, even as global authorities intensify their scrutiny.

As institutional investment in crypto rises, some analysts warn that the ongoing hacks could weaken market confidence, potentially dampening investor sentiment.

Security Firms Highlight Onyx's Hack

Blockchain security firm PeckShield identified suspicious transactions on OnyxDAO, suggesting a possible attack on the protocol.

In a follow-up report, PeckShield revealed a total loss of $3.8 million, with the hacker already in the process of exchanging the stolen funds.

Web3 security firm Cyvers confirmed the breach, citing suspicious activity on the Ethereum blockchain, with most of the stolen assets in VUSD stablecoin.

The incident has been traced to a precision issue in the CompoundV2 code base, allowing the hacker to manipulate exchange rates and drain assets including VUSD, DAI, XCN, USDT, and WBTC.

Specifically, the attacker exploited a nearly empty market to manipulate the exchange rate and siphon 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT.

On X (formerly known as Twitter), Onyx acknowledged the unusual activity and initiated a third-party post-mortem investigation.

Then in about seven hours, they released the report.

This attack mirrors a previous incident in October 2023, when hackers used a similar exploit, attributed to a rounding error, to steal $2.1 million.

Both breaches highlight vulnerabilities linked to Onyx Protocol's status as a fork of Compound Finance.

Onyx Protocol's Hack Could Have Been Avoided

In the open-source DeFi space, developers often opt to build on existing code rather than develop new functionality from scratch.

While this approach can enhance efficiency and security when executed properly, it carries risks.

If the base code has vulnerabilities, such as the rounding error seen in the Onyx Protocol hack, those flaws can be inherited by the forked project.

Security firm Halborn reported:

“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited."

This breach, which could have been avoided with proper attention to existing guidance on launching markets within Compound Finance and its forks, highlights a broader issue within DeFi.

Security firm Hexgate guided in April 2023:

“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation.”

The Onyx hack and similar incidents have drawn increased regulatory attention to the crypto market, with authorities aiming to protect user funds from bad actors.

However, regulatory scrutiny, such as the SEC's lawsuits against crypto exchanges, can also hinder innovation.

Recent attacks, including a $4.6 million hack on decentralised infrastructure provider Truflation, further illustrate the ongoing challenge of securing digital assets against sophisticated theft in the crypto industry.