Onyx, a decentralized finance (DeFi) protocol, was exploited for $3.8 million due to a vulnerability in its non-fungible token (NFT) liquidation contract.
According to a report from blockchain security firm PeckShield, the attack used a known bug in the Compound Finance v2 codebase, which had previously been exploited against Onyx in November 2023.
In a statement, the Onyx team acknowledged the exploit, stating that the faulty NFT contract was the primary cause of the attack.
According to PeckShield, the attacker drained 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the DAI stablecoin, and $50,000 worth of the USDT stablecoin, totaling over $3.8 million in losses.
The vulnerability that led to this exploit exists in Compound Finance’s version 2 codebase, which is widely used by various DeFi protocols. This same flaw was exploited in an attack on Hundred Finance in April 2023 and in the first attack on Onyx in October 2023.
The vulnerability can be exploited when a DeFi protocol has an “empty market” — a market with no liquidity — which typically occurs when new markets are launched.
The Onyx team clarified in a post that while the Compound vulnerability played a role, the root cause was the NFT liquidation contract. PeckShield agreed, noting that the contract failed to properly validate user input, allowing the attacker to inflate self-liquidation rewards and drain funds.
DeFi exploits have become a frequent issue in the Web3 space. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract. Additionally, Bankroll Network suffered a $230,000 loss due to an attacker exploiting a faulty “buyFor” function.
Hackers often convert stolen tokens into Ether to launder the funds through cryptocurrency mixers like Tornado Cash, complicating the tracing efforts by cybersecurity firms.
Crypto hacks have been escalating in 2024. The first quarter alone saw $542.7 million stolen, a 42% increase from the same period in 2023. July was particularly severe, with over $266 million stolen across 16 attacks, including a $230 million theft from Indian exchange WazirX, the second-largest hack of the year.
The WazirX hacker has been attempting to funnel the stolen funds, consolidating $57 million worth of ETH into new addresses by July 22.
Most recently, Singapore-based cryptocurrency exchange BingX’s estimated loss from a suspected hack on Friday more than doubled to over $52 million, following further investigations.