In the most recent security breach incident, Onyx Protocol, a decentralised finance (DeFi) project, fell victim to an exploit involving flash loans, resulting in the loss of approximately $2.1 million worth of Ethereum (ETH) coins.
Blockchain investigator PeckShield promptly raised an alert about the hack, which had gone unnoticed by the protocol until then.
#PeckShieldAlert@OnyxProtocol has been exploited for ~2.1M pic.twitter.com/5Z50tCg6MD
— PeckShieldAlert (@PeckShieldAlert) November 1, 2023
a
According to reports, the wallet address of the Onyx Protocol exploiter currently holds a balance of 1,164 ETH, equivalent to roughly $2.1 million, which malicious actors seized through the exploit.
This breach was initiated by the Onyx Protocol hacker, who took advantage of a known bug associated with a popular CompoundV2 fork.
The suspected perpetrator leveraged a rounding issue within the oPEPE market, allegedly lacking liquidity, to borrow funds from other markets.
This tactic was detailed in PeckShield's independent investigation.
It is worth noting that this is not an isolated incident; a similar bug was exploited earlier to pilfer $7 million from the multichain lending protocol Hundred Finance.
In that case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than initially deposited, as confirmed by CertiK.
#CertiKSkynetAlert 🚨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj<br/>— CertiK Alert (@CertiKAlert) April 15, 2023<br/> a
The attacker's method involved initiating the scheme with an ostensibly trivial donation to the oPEPE market.
This initial contribution served as collateral to secure a substantial loan from markets with sufficient liquidity.
Following this, the borrowed funds were redeemed, and the exploit was executed by capitalising on the rounding issue.
This theft was facilitated by the fact that the oPEPE market had only been established five days prior and contained no funds, offering a ripe opportunity for exploitation.
In a more detailed breakdown of the incident, the attacker orchestrated a flash loan of 4,000 ETH from Aave, an open-source liquidity protocol, and subsequently exchanged it for the meme coin, PEPE, prior to exploiting the oPEPE smart contract on Onyx.
Alex Onyx, the Community Leader for Onyx Protocol, acknowledged the theft and confirmed that the vulnerability has been addressed.
The team is actively working to secure the protocol further.
On X (formerly known as Twitter), Alex expressed awareness of the situation and provided assurance that steps are being taken to mitigate risks moving forward.