Original | Odaily Planet Daily ( @OdailyChina )
Author | Fu Howe ( @vincent 31515173 )
Yesterday, the lending platform Onyx Protocol was attacked by hackers using a vulnerability, resulting in losses of more than 3.8 million US dollars. The stolen funds included 13 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC and 50,000 USDT.
CoinGecko data shows that VUSD immediately decoupled, falling to a low of $0.2757, a 24-hour drop of 72.43%. As of writing, VUSD is still decoupled, but has rebounded to $0.7228, and the 24-hour drop has narrowed to 28.3%.
Onyx Protocol In response to this theft, proposal OIP-46 was released, suggesting restarting Onyxs open source licensed financial network Onyx Core as the main product, together with XCN Staking to ensure the governance of Onyx Core and the rewards of Onyx Staker.
According to the proposal, Onyx Protocol will run as a closed lending protocol on Onyx Core, allowing users to package and lend NFTs and real assets (RWA), while supporting crypto assets from multiple chains. This move will close the Ethereum-based lending market and fully compensate all affected users, paying them 1:1 for the assets they provided.
Event Review
At 20:48 on September 26, the security company Cyvers platform published a post on X, stating that its system had detected suspicious transactions involving Onyx, and the losses may have reached 3.2 million US dollars.
At 21:55 on the same day, security company PeckShield posted on the x platform that the withdrawn funds included 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC and 50,000 USDT.
VUSD officials subsequently issued an announcement stating: A security breach resulted in the theft of more than $13 million in VUSD. The hacker then sold the stolen VUSD to the liquidity pool, resulting in a loss of approximately $1.5 million in secondary market liquidity. After the incident, the smart contract has been suspended for proper communication, and it has been confirmed that there are no vulnerabilities in the VUSD codebase and reserves. Malicious actors will be blacklisted in accordance with the terms of service. After the investigation is completed, the VUSD smart contract service will be resumed and participants can continue to arbitrage.
Officials said that VUSD is still fully backed by overcollateralized assets, and institutional users can redeem and mint VUSD at market prices. VUSD is working with Onyx DAO and relevant authorities to identify attackers, and plans to explore the licenses required for retail redemption in the future.
What caused the Onyx Protocol theft?
Security firm PeckShield said the issue that facilitated the hack was related to an NFT liquidation contract that failed to properly validate (untrusted) user input, causing the self-liquidation reward amount to be artificially inflated.
Onyx Protocol quoted PeckShield s tweet about hackers exploiting NFTLiquidation contract vulnerability and said that hackers used the protocol to drain VUSD from it. This vulnerability can be identified and understood from a security risk in the NFT liquidation contract. The main problem is not the Empty market, but the NFT Liquidation contract . XCN staking and XCN Farming are not affected.
Well-known security company CertiK told Odaily Planet Daily: Onyx Protocols liquidation contract did not verify the oTokenCollateral and oTokenRepay addresses passed in by the user. Simply put, the attacker deceived the Onyx protocol through the malicious contract he deployed that he had repaid the debt, thereby retrieving all the collateral without repaying the debt.
PeckShield also mentioned that the reason for the theft of Onyx may be a known precision issue in the forked Compound V2 codebase, which has been exploited by attackers. CertiK also stated that the Empty Market Vulnerability caused by the precision loss problem of Compound V2 is indeed a known problem that has been attacked many times. Hundred Finance last year and Sonne Finance in May this year were both attacked due to precision loss.
Odaily Planet Daily found that Onyx was also attacked by hackers in November last year. The reason for the attack was also that hackers took advantage of the known rounding problem behind the Compound V2 fork version. But at that time, Alex, the head of the Onyx community , said that the vulnerability had been fixed and they were working with partners to deal with the follow-up.
It is reported that Onyx Protocol is an on-chain lending platform in the Ethereum ecosystem, which aims to provide a lending market for tokens and NFTs. The token part may have referenced the code of Compound V2 during the development process, which is considered a fork of Compound V2. However, the code of Compound V2 at that time had accuracy issues. Compound itself has subsequently modified the related issues, but the forked projects before that could not avoid related problems.
Odaily Planet Daily will continue to pay attention to the follow-up developments of the Onyx Protocol theft.
