Fun

Onyx protocol exploited a second time for $3.8M via known bug

News Feed - 2024-09-27 11:09:45

Christopher Roark10 hours agoOnyx protocol exploited a second time for $3.8M via known bugThe decentralized finance app lost nearly $4 million thanks to an interaction between an old bug and a new input validation vulnerability.746 Total views12 Total sharesListen to article 0:00NewsOwn this piece of crypto historyCollect this article as NFTCOINTELEGRAPH IN YOUR SOCIAL FEEDFollow ourSubscribe onDecentralized finance (DeFi) protocol Onyx was exploited for $3.8 million on Sept. 26, according to a report from blockchain security platform PeckShield. The exploit used a known bug in the Compound Finance v2 codebase — one that had already been used to exploit Onyx previously on Nov. 1. A vulnerability in the non-fungible token (NFT) liquidation contract also contributed to the exploit, the report stated.


In a Sept. 27 X post, the Onyx team claimed that the faulty NFT contract was the root cause of the exploit.


According to the PeckShield report, 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the Dai (DAI) stablecoin and $50,000 worth of the USDt (USDT) stablecoin were drained from the protocol, for a total of over $3.8 million in losses.Source:PeckShield


The known vulnerability exists in version 2 of Compound Finance, which is a codebase often forked and used by decentralized finance protocols. It led to an exploit against Hundred Finance in April 2023. In

October 2023, the vulnerability was used against Onyx for the first time.


Related:Onyx Protocol suffers $2.1M Hundred Finance copycat attack


The flaw can only be exploited when an “empty market,” or a market with no liquidity, exists, which generally only happens when a new market is launched.


The Onyx team acknowledged the exploit in an X post. “Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol,” it stated. However, it claimed that the known flaw was not its primary cause. “The primary issue wasn’t an empty market but the NFTLiquidation Contract,” it stated in a thread.


Peck Shield agreed that the NFT contract was “[a]nother issue that facilitates the hack.” The faulty contract allowed the attacker to “inflate the self-liquidation reward amount” because it didn’t “properly validate (untrusted) user input.”Onyx NFT contract vulnerability. Source: PeckShield


DeFi exploits are a common source of losses for Web3 users. On Sept. 27, liquid staking protocol Bedrock lost over $2 million due to a vulnerability in its uniBTC contract. On Sept. 23, Bankroll Network was drained of $230,000 when an attacker made multiple self-transfers, exploiting a faulty “buyFor” function to inflate their profits.# Ethereum# Hackers# Cybersecurity# DeFiAdd reaction

News Feed

Dogwifhat leads the market with 13% gain — What’s driving WIF price?
Nancy Lubale30 minutes agoDogwifhat leads the market with 13% gain — What’s driving WIF price?WIF booked a double-digit rebound to outperform memecoins, Bitcoin and altcoins which remain in sell-off mode.143 Total vi
Biggest Movers: APE Extends Rally, HNT Recovers Following Recent Losses
Biggest Movers: APE Extends Rally, HNT Recovers Following Recent Losses Apecoin rose for a fourth consecutive session on Wednesday, as prices of the token climbed by as much as 5%.
XRP rockets 26% as Ripple execs hail $125M penalty as ‘victory’
Ciaran Lyons7 hours agoXRP rockets 26% as Ripple execs hail $125M penalty as ‘victory’XRP’s price has surged 26% as the Ripple vs. SEC case appears to be nearing its final stages, with no signs suggesting XRP will
End of Western Union Remittance Service to Cuba a Boon for Crypto
End of Western Union Remittance Service to Cuba a Boon for Crypto As new U.S. government measures that impose restrictions on remittances to Cuba becomes effecti
Billionaire Paul Tudor Jones Sees Massive Upside in Bitcoin, Like Investing in Apple or Google Early
Billionaire Paul Tudor Jones Sees Massive Upside in Bitcoin, Like Investing in Apple or Google Early American billionaire hedge fund manager Paul Tudor Jones has
Hong Kong to enhance digital asset regulation in 18 months
Amaka Nwaokocha11 hours agoHong Kong to enhance digital asset regulation in 18 monthsBy establishing a comprehensive regulatory framework, the city aims to attract global fintech talent, foster innovation, and ensure the
Helen Partz14 hours agoThailand’s KBank acquires crypto exchange business SatangThailand’s second-largest lender by assets, Kasikornbank, is moving into crypto by acquiring a majority stake in the local crypto exchan
Derek Andersen4 hours agoParliamentary report recommends Canada recognize, strategize about blockchain industry“Canada punches above its weight” in blockchain innovation, parliamentarians conclude, but lots more shou
Documents Show Craig Wright Claims to Own a Bitcoin Address With 80,000 BTC Stolen From Mt Gox
Documents Show Craig Wright Claims to Own a Bitcoin Address With 80,000 BTC Stolen From Mt GoxOn June 12, 2020, the former CEO of Mt Gox, Mark Karpeles, tweeted about the notorious
Jack Dorsey’s Block to use 10% of Bitcoin profit to buy BTC every month
Jesse Coghlan7 minutes agoJack Dorsey’s Block to use 10% of Bitcoin profit to buy BTC every monthBlock, Inc. co-founder Jack Dorsey told shareholders its Bitcoin-buying plan during an earnings call, saying its an “in
Tristan Greene2 hours agoSearches for ‘AI jobs’ in 2023 are 4x higher than ‘crypto jobs’ when BTC hit $69KWeb3’s entry into the public perception coupled with peak BTC value led to the highest number of searche
Major Indian Company TCS Launches Cryptocurrency Trading Solution for Banks’ Customers
Major Indian Company TCS Launches Cryptocurrency Trading Solution for Banks" CustomersLeading Indian IT company, Tata Consultancy Services (TCS), is launching a cryptocurrency tradi