Onyx Protocol Hacked for 2.1 Million USD through Flash Loan Attack
Summary
On the evening of November 1, 2023, blockchain security firm PeckShield reported a flash loan attack on the DeFi protocol Onyx Protocol, resulting in a loss of over 2.1 million USD.
Details of the Attack
The hacker exploited a rounding vulnerability in Onyx Protocol's codebase, which was an older fork of Compound V2. This vulnerability led to precision loss, allowing the hacker to manipulate transaction rates and withdraw more assets than were legitimately available.
The @OnyxProtocol hack leads to ~$2.1M loss by exploiting a known rounding issue behind the popular CompoundV2 fork.
— PeckShield Inc. (@peckshield) November 1, 2023
Basically, the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other… https://t.co/ijkXbOyYr2 pic.twitter.com/fbHdZhTz0E
Process of the Attack:
- The attacker executed a flash loan to borrow a significant amount of ETH.
- Swapped the borrowed ETH for PEPE tokens.
- Deposited these tokens into a specific pool to manipulate the exchange rates.
- Due to the precision loss, the attacker withdrew more assets than the pool could accurately account for.
Impact and Aftermath
The attacker swiftly moved the stolen funds, totaling over 1,164 ETH (approximately 2.1 million USD), to the wallet address "0x4C9C8661243E9E9a15A35B8873317eb881330c98".
Laundering the Funds:
- PeckShield noted that the attacker laundered the stolen ETH through Tornado Cash, an Ethereum mixing service.
- Within just over an hour, all the stolen funds had been processed through Tornado Cash.
Update: Onyx Protocol Exploiter has laundered ~1,130 $ETH to #TornadoCash pic.twitter.com/lc8MRZ8Pzl
— PeckShieldAlert (@PeckShieldAlert) November 1, 2023
Similarity to Previous Attacks
PeckShield highlighted the similarity between this attack and a previous one on Hundred Finance in April 2023, which resulted in a loss of 7.4 million USD. Like Hundred Finance, Onyx Protocol will likely face significant challenges in addressing user compensation and restoring service.
The new way to make money: beg for the exploiter
— Scopescan (@0xScopescan) November 2, 2023
The #OnyxProtocol Exploiter sends ETH to people who beg for money on-chain.
Somebody sends the following message and the exploiter sends him 6.5 $ETH ($12.1K)
Guess this method finally works for an exploiter?
Address:… pic.twitter.com/B7PaBmhumO
Broader Context of Flash Loan Attacks
What is a Flash Loan?
- Flash loans allow users to borrow large amounts of cryptocurrency without collateral, provided the loan is repaid within the same transaction block.
Recent Trends:
- PeckShield reported 386 DeFi attacks in the first half of 2023, with total losses of 479 million USD.
- Of these attacks, 71% involved flash loans, with notable victims including Euler Finance, Platypus, 0VIX, and Allbridge.
Conclusion
Flash loan attacks continue to be a significant vulnerability in the DeFi space. The incident with Onyx Protocol underscores the ongoing challenges in securing decentralized finance platforms against sophisticated exploits. Companies like Quantstamp are working towards solutions to address these vulnerabilities and enhance the overall security of the DeFi ecosystem.
