How a Known Bug Led to a $3.8 Million Hack on Onyx Protocol

Onyx Protocol, a Compound Finance fork, suffered a $3.8 million loss on Thursday to mark another entry in a series of attacks as bad actors explore system vulnerability.

Cyber-attacks continue to plague the crypto industry, highlighting the need for enhanced security.  

$3.8 Million Hack Hits Onyx Protocol

Blockchain security firm PeckShield highlighted suspicious transactions on OnyxDAO, drawing attention to a possible attack on the protocol. In a follow-up post, the on-chain detective revealed losses reaching $3.8 million, indicating that the hacker was already swapping the funds.

Web3 security firm Cyvers corroborated the incident, citing suspicious transactions involving OnyxDAO on the Ethereum blockchain. According to Cyvers, most of the loss was in VUSD stablecoin.

“Our system has detected a suspicious transaction involving OnyxDAO on the ETH chain! The total loss is around $3.2 million [at the time]. Most of the losses are in VUSD. Attacker currently holds 521 ETH ($1.36 million). The rest of the digital assets are not swapped yet,” Cyvers wrote.

Read more: Crypto Project Security: A Guide to Early Threat Detection

Additional investigations by PeckShield revealed that the attacker capitalized on a known precision issue presented as a bug in the forked Compound V2 code base. They then siphoned 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT. Reportedly, the bug leveraged a nearly empty market to manipulate the exchange rate.

Notably, hackers used the same approach in October 2023, hacking the same protocol for $2.1 million. In the October incident, the vulnerability was a rounding error. At the time, researchers ascribed the vulnerability to Onyx Protocol being a fork of Compound Finance.

How the Code Vulnerability Occurs

With many DeFi protocols being open-source, developers tend to avoid the long approach. They opt to build off of an existing code as opposed to implementing functionality from scratch.

The approach is considered popular as it can improve efficiency and security when done correctly. The downside is that if the template code is not secure, the fork may inherit the vulnerabilities.

“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited,” security firm Halborn reported.

This means the Onyx Protocol hack could have been prevented, given the prevalence of rounding errors. Notably, guidance already exists when launching new markets on Compound Finance and its forks.

“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation,” security firm Hexgate guided in April 2023.

Read more: What Is Compound Finance?

These incidences, including a $4.6 million attack on decentralized infrastructure Truflation on Wednesday, reflect the prevalent challenge in the crypto industry, where bad actors use different mechanisms to steal digital assets.