Fun

Onyx protocol exploited a second time for $3.8M via known bug

News Feed - 2024-09-27 11:09:45

Christopher Roark10 hours agoOnyx protocol exploited a second time for $3.8M via known bugThe decentralized finance app lost nearly $4 million thanks to an interaction between an old bug and a new input validation vulnerability.746 Total views12 Total sharesListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTCOINTELEGRAPH IN YOUR SOCIAL FEEDFollow ourSubscribe onDecentralized finance (DeFi) protocol Onyx was exploited for $3.8 million on Sept. 26, according to a report from blockchain security platform PeckShield. The exploit used a known bug in the Compound Finance v2 codebase — one that had already been used to exploit Onyx previously on Nov. 1. A vulnerability in the non-fungible token (NFT) liquidation contract also contributed to the exploit, the report stated.


In a Sept. 27 X post, the Onyx team claimed that the faulty NFT contract was the root cause of the exploit.


According to the PeckShield report, 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the Dai (DAI) stablecoin and $50,000 worth of the USDt (USDT) stablecoin were drained from the protocol, for a total of over $3.8 million in losses.Source:PeckShield


The known vulnerability exists in version 2 of Compound Finance, which is a codebase often forked and used by decentralized finance protocols. It led to an exploit against Hundred Finance in April 2023. In

October 2023, the vulnerability was used against Onyx for the first time.


Related:Onyx Protocol suffers $2.1M Hundred Finance copycat attack


The flaw can only be exploited when an “empty market,” or a market with no liquidity, exists, which generally only happens when a new market is launched.


The Onyx team acknowledged the exploit in an X post. “Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol,” it stated. However, it claimed that the known flaw was not its primary cause. “The primary issue wasn’t an empty market but the NFTLiquidation Contract,” it stated in a thread.


Peck Shield agreed that the NFT contract was “[a]nother issue that facilitates the hack.” The faulty contract allowed the attacker to “inflate the self-liquidation reward amount” because it didn’t “properly validate (untrusted) user input.”Onyx NFT contract vulnerability. Source: PeckShield


DeFi exploits are a common source of losses for Web3 users. On Sept. 27, liquid staking protocol Bedrock lost over $2 million due to a vulnerability in its uniBTC contract. On Sept. 23, Bankroll Network was drained of $230,000 when an attacker made multiple self-transfers, exploiting a faulty “buyFor” function to inflate their profits.# Ethereum# Hackers# Cybersecurity# DeFiAdd reaction

News Feed
Turner Wright6 hours agoNishad Singh says there is ’a lot’ he doesn’t remember about FTX in 2022 — SBF trialSam Bankman-Fried’s defense team cross-examined former FTX engineering director Nishad Singh following
2023-10-18 02:04 AM
Tristan Greene7 hours agoUS official confirms military concerns over China’s access to cloud technologyThe confirmation comes as tensions between the United States and China continue to rise.1030 Total views5 Total sha
2023-10-24 01:35 AM
Kenya drops Worldcoin probe — ‘No further police action’
Helen Partz23 minutes agoKenya drops Worldcoin probe — ‘No further police action’After suspending Worldcoin operations in August 2023, Kenyan authorities have finally dropped a probe against the firm, potentially p
2024-06-20 17:36 PM
South Korean Crypto Exchanges Restrict Russians’ Access Over War in Ukraine
South Korean Crypto Exchanges Restrict Russians" Access Over War in Ukraine Major South Korean cryptocurrency exchanges have introduced restrictions for Russian users, effectively
2022-03-05 01:30 AM
Republican Congressman Tom Emmer Queries FDIC on Alleged Efforts to Purge Crypto Activity from US
Republican Congressman Tom Emmer Queries FDIC on Alleged Efforts to Purge Crypto Activity from US On Wednesday, Tom Emmer, the U.S. Republican congressman from Minnesota, revealed
2023-03-17 07:00 AM
Crypto Hedge Funds Defraud $100 Million From Investors, Founder Faces 20 Years in Prison
Crypto Hedge Funds Defraud $100 Million From Investors, Founder Faces 20 Years in Prison The founder of two cryptocurrency hedge funds has been charged in U.S. f
2021-02-08 05:35 AM
$1.7M in Quadrigacx Bitcoins Move, Court Trustee EY Says Transfers Were ‘Unauthorized’
$1.7M in Quadrigacx Bitcoins Move, Court Trustee EY Says Transfers Were "Unauthorized" On Dec. 19, the Twitter account Zachxbt revealed he discovered five cold wallets from the now
2022-12-22 04:00 AM
Relm Launches Insurance Coverage for Cryptocurrency and Cannabis Groups in Tough Regulatory Climate
Relm Launches Insurance Coverage for Cryptocurrency and Cannabis Groups in Tough Regulatory Climate Bermuda-based insurance company Relm has announced an official launch of opera
2020-03-04 17:52 PM
48% of Ethereum Blocks Face Censorship From OFAC-Compliant Flashbots
48% of Ethereum Blocks Face Censorship From OFAC-Compliant Flashbots For a couple of years now, MEV-Boost relays or Flashbots have become popular tools in order to gather the maxim
2022-10-16 00:30 AM
Statera – a Global Deflationary Asset
Statera - a Global Deflationary Asset PRESS RELEASE. Since its inception, Statera has had a singular goal: “to put cryptocurrency into every portfolio&rdqu
2021-01-29 15:00 PM
Mining company TeraWulf pays off outstanding debt early
Vince Quill2 hours agoMining company TeraWulf pays off outstanding debt earlyThe payment will allow the company to focus on scaling operations rather than keeping up with debt obligations in the post-halving environment.
2024-07-10 06:06 AM
Bitcoin Unlimited Hosts Week-Long Hackathon to Bolster the Future of Finance
Bitcoin Unlimited Hosts Week-Long Hackathon to Bolster the Future of Finance On December 2, 2020, the organization and full node project Bitcoin Unlimited is hos
2020-11-18 16:15 PM