Explained: The Onyx Protocol Hack (September 2024)

In September 2024, the Onyx Protocol suffered a hack that demonstrated the importance of learning from past mistakes. The protocol was exploited for $3.8 million via the same vulnerability that caused $2.1 million in losses in October 2023.

Inside the Attack

The root cause of the Onyx Protocol hacks is that it is a Compound v2 fork, which has a known issue with decimal precision on markets with low liquidity. This vulnerability has been the root cause of several recent hacks, including Hundred Finance and Sonne Finance.

Recently, Onyx’s governance protocol created a new VUSD market. However, the protocol didn’t follow established best practices for Compound v2 forks, which is to mint and burn some tokens and protect the market from being empty.

Without these steps, the market is vulnerable to price manipulation. Using a flashloan from Balancer, the attacker minted and redeemed oETH in tiny quantities, which destabilized the market’s exchange rate.

Additionally, the Onyx exploiter identified and exploited a vulnerability in the protocols’ NFTLiquidation smart contract, which didn’t perform proper validation of untrusted user input. As a result, they were able to manipulate the reward granted for self-liquidation, allowing them to drain additional value from the protocol. In total, the attacker was able to steal an estimated $3.8 million in various tokens.

Lessons Learned from the Attack

The most significant takeaway from the second Onyx Protocol hack is the importance of learning from past security incidents. Several different Compound v2 forks have suffered hacks due to the known issue with the code despite the fact that best practice guidance offers a simple mitigation. The Onyx Protocol takes this a step further by suffering multiple hacks within a year that exploited the same vulnerability due to a failure to implement these best practices.

The Onyx Protocol hack also underscores the importance of performing a smart contract audit before releasing new code to the blockchain. While the protocol has undergone audits in the past, the last was in January 2022, and the project has released new code since then. As a result, the attacker was able to exploit a vulnerability in the project’s NFTLiquidation project, which was important to the success of this exploit.

Protecting DeFi protocols from hacks requires a robust security program, including smart contract audits and an awareness of the risks that a project faces and how to mitigate them. For help protecting your protocol against attacks, get in touch with Halborn.