Onyx Protocol loses $2.1M after latest security breach

• Exploit exposed a well-known bug related to a popular CompoundV2 fork
• This wasn’t the first time this particular bug had been used in an attack

On 27 October, the decentralized peer-to-peer lending platform Onyx Protocol became the victim of a significant exploit, resulting in the loss of approximately $2.1 million. This exploit exposed a well-known bug related to a popular CompoundV2 fork, a vulnerability that had previously been leveraged in another attack in April.

Blockchain investigator PeckShield brought attention to this security breach and the underlying bug. Despite the potential for financial devastation, this event went unnoticed by the protocol.

The security breach centered around an oPEPE market on Onyx Protocol, which suffered from a liquidity deficit. The attacker seized upon this vulnerability, taking advantage of the market’s liquidity shortfall and a known rounding issue. The attack was initiated by making donations to borrow funds from other markets with healthier liquidity, diverting these acquired funds to the compromised oPEPE market.

Once in this market, the bad actors exploited the rounding issue, making it possible to redeem the donated funds and profit from the hack.

Familiar bug, different victim

Remarkably, this was not the first time this particular bug had been used in an attack. In April, an attacker similarly took advantage of this vulnerability to pilfer $7 million from Hundred Finance, a multichain lending protocol. The earlier attack, which affected Hundred Finance, involved the manipulation of the exchange rate between ERC-20 tokens and hTOKENS. This manipulation allowed the attacker to withdraw more tokens than they had initially deposited.

The crypto-sector has become synonymous with hacks lately. On 31 October, reports revealed that UniBot [UNIBOT] suffered a hacking incident. The team attributed the attack to a token approval exploit within their new router. This led to a temporary halt in response to the breach. The team later reassured users that they would reimburse any funds lost in the hack.