Onyx, a decentralized finance (DeFi) protocol, received community approval to relaunch its financial network, Onyx Core, following a $3.8 million hack on September 27.
The hack exploited a previously known security vulnerability, prompting an immediate proposal (OIP-46) to overhaul the protocol and products, including shutting down its Ethereum-based lending market.
The Onyx Improvement Proposal (OIP-46), titled “Relaunch Onyx Core,” was introduced the same day as the hack. It proposed shutting down the lending market and reimbursing lenders in full. By September 29, the proposal received unanimous community support, setting the relaunch for October 1.
As part of the relaunch, the Onyx team will issue a revised white paper and focus on running Onyx Core as a closed-ended lending protocol, which will support wrapping NFTs, real-world assets, and crypto assets. This move seeks to prevent future exploits, like the one that occurred through an NFTLiquidation contract vulnerability, which was previously used in an attack in October 2023.
This restructuring comes at a time when crypto hacks have been on the rise, with centralized exchanges being the primary targets, accounting for losses exceeding $2.1 billion in 2024.
According to security firm PeckShield, Onyx hackers drained 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the DAI stablecoin, and $50,000 worth of the USDT stablecoin, totaling over $3.8 million in losses.
The vulnerability that led to this exploit exists in Compound Finance’s version 2 codebase, which is widely used by various DeFi protocols. This same flaw was exploited in an attack on Hundred Finance in April 2023 and in the first attack on Onyx in October 2023.
The vulnerability can be exploited when a DeFi protocol has an “empty market” — a market with no liquidity — which typically occurs when new markets are launched.
DeFi exploits have become a frequent issue in the Web3 space. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract. Additionally, Bankroll Network suffered a $230,000 loss due to an attacker exploiting a faulty “buyFor” function.
Hackers often convert stolen tokens into Ether to launder the funds through cryptocurrency mixers like Tornado Cash, complicating the tracing efforts by cybersecurity firms.
Crypto hacks have been escalating in 2024. The first quarter alone saw $542.7 million stolen, a 42% increase from the same period in 2023. July was particularly severe, with over $266 million stolen across 16 attacks, including a $230 million theft from Indian exchange WazirX, the second-largest hack of the year.
