Illegal leak from 0vix
0vix, a DeFi (decentralized finance) lending protocol, has been found to have suffered fraudulent use worth approximately 270 million yen ($2 million) on Polygon PoS.
The protocol allows cryptocurrencies Ethereum (ETH) and Polygon (MATIC), stablecoins, and stake token vGHST from blockchain gaming project Aavegotchi to be used as collateral.
Borrowers provide collateral to receive loans such as stablecoins. Lenders can deposit their assets in a liquidity pool and earn lending fees.
The attack targeted vGHST. According to blockchain security firm Certik, the attackers allegedly manipulated the vGHST price oracle to obtain 1.45 million USDC, 58,400 USDT and 9,500 GHST.
With joint investigation @0vixProtocolwe determined the root cause is due to the introduction of a vulnerable VGHSTOracle, https://t.co/ddKynf9eSO, which was deployed on Mar-17-2023 and suffers from today’s donation-based price manipulation.
Basically, the hacker… pic.twitter.com/4zXzE91EpN
— PeckShield Inc. (@peckshield) April 28, 2023
Another BC security firm, PeckShield, said there was a vulnerability in 0vix’s vGHST lending pool price oracle. It has been found that the attacker transferred the obtained assets to the Ethereum mainnet via a bridge solution called “Stargate”, aggregated them into 757 ETH, and held them at a single address “0x702E~”. .
Following the incident, 0vix suspended not only Polygon PoS, but also the market on Polygon zkEVM (β), a ZK rollup-based Ethereum L2, for investigation.
The 0vix team confirmed the attack and announced on Twitter that they are currently investigating. Regarding the suspension of the lending market, he commented, “Only PoS is currently affected, and as a precautionary measure, we have suspended zkEVM. It is likely to resume soon.” It also offered the attackers a ¥17 million ($125,000) bounty, demanding that they return the stolen funds.
Also to clarify, 0VIX on Polygon POS has been affected, not on Polygon zkEVM.
— 0VIX | live on zkEVM (@0vixProtocol) April 28, 2023
0vix’s Total Deposited Assets (TVL), which was 870 million yen ($6.4 million), is now down to 230 million yen ($1.7 million) as investors withdrew funds due to these turmoil. .
What is Polygon PoS?
The Polygon PoS chain (formerly MATIC) is a hybrid chain that combines Plasma and Proof of Stake. It uses the PoS consensus mechanism to create a separate blockchain connected to Ethereum, where it processes transactions and then periodically commits to Ethereum’s main chain.
Cryptocurrency Glossary
connection:Hacker who caused illegal outflow of 17 billion yen, excuses as “ profitable trading strategy ”
Exploitation of price oracles
In DeFi applications, price oracles provide price data that is referenced when an asset is used as collateral to borrow another asset, index rebalancing, and synthetic asset generation.
Price oracle manipulation is well known in the DeFi sector, with attackers manipulating the price oracles of illiquid tokens to borrow above normal assets from lending services.
In October 2010, attackers used the same method when cryptocurrency worth 17 billion yen was illegally leaked from Solana (SOL)-based DeFi protocol Mango Markets. Attackers prepared about 1.5 billion yen ($10 million) in funds to manipulate price oracles. By tripling the Mango token price from about 45 yen ($0.30) to about 135 yen ($0.91), it raised the collateral price and borrowed more money than usual from the protocol.
In September 2022, the US FBI issued an unusual warning about hacking cases that frequently occur in DeFi protocols, and explained flash loan attacks and techniques that exploited vulnerabilities in DeFi-based Oracle as examples. The total damage caused by cryptocurrency crime in the first quarter of 2020 (January to March) was 180 billion yen ($1.3 billion), of which 97% was leaked from DeFi platforms.
connection:FBI warns against hacking of DeFi protocols
The post About 270 million yen worth of assets leaked due to unauthorized use of 0vix, a loan protocol on Polygon appeared first on Our Bitcoin News.
Read More: bitcoinwarrior.net