Decentralized liquidity protocol Onyx has suffered a security breach that siphoned millions worth of crypto assets from the platform.
Blockchain security firm PeckShield says the perpetrators made off with over $3.8 million in crypto assets, which include 7.35 million of the protocol’s utility token Onyxcoin (XCN), 50,000 Tether (USDT), 4.1 million Virtual USD (VUSD), 5,000 DAI and 0.23 Wrapped Bitcoin (WBTC).
The attackers also swapped the tokens for Ethereum (ETH).
“Here are the latest whereabouts of the stolen $3.8 million funds from OnyxDAO.”
PeckShield identifies an issue that enabled the hackers to compromise the platform.
“It seems today’s victim OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base… The bug is exploited to leverage a nearly empty market to manipulate the exchange rate.”
Aside from the bug in the forked Compound V2 code base, the attackers also took advantage of another vulnerability.
“Another issue that facilitates the hack is related to the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount.”
Onyx, which conducted an investigation following the incident, says the primary issue is the NFTLiquidation contract.
“Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol. This exploit can be identified and understood from a vulnerability in the NFT Liquidation contract.”
Generated Image: Midjourney