Onyx DeFi Protocol Loses $2.1 Million in Hack Exploiting Rounding Issue

Published: November 01, 2023 at 7:21 am Updated: November 01, 2023 at 7:21 am

Edited and fact-checked:
November 01, 2023 at 7:21 am

In Brief

Beosin’s EagleEye security platform reports that the DeFi protocol Onyx Protocol suffered a hack, leading to a loss of around US$2.1 million. Beosin Trace is currently tracking the stolen assets.

Decentralized finance (DeFi) protocol Onyx reported a loss of approximately $2.1 million in a recent breach. Security threat monitoring platform Beosin’s EagleEye first highlighted the breach, emphasizing their capability in tracking stolen assets.

The tweet from PeckShield Inc. detailed that the Onyx hack was orchestrated by exploiting a recognized rounding problem prevalent in the CompoundV2 fork. The compromised oPEPE market, set up a mere five days prior to the attack, began with no liquidity.

Malicious actors manipulated this barren market, donating to then borrow funds from more liquid markets. They subsequently claimed the donated funds by manipulating the aforementioned rounding vulnerability. It’s worth noting that a similar flaw was the culprit in a prior hack of #HundredFinance, which experienced a staggering loss of around $7 million.

The @OnyxProtocol hack leads to ~$2.1M loss by exploiting a known rounding issue behind the popular CompoundV2 fork.

Basically, the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other… https://t.co/ijkXbOyYr2 pic.twitter.com/fbHdZhTz0E

— PeckShield Inc. (@peckshield) November 1, 2023

Blockchain Protocol Security in October

In a broader review of blockchain security, Beosin’s monitoring platform suggests a positive trend for October 2023. Losses stemming from security lapses dipped considerably, dropping by 85.6% in comparison to September’s figures. The month of October saw just over 23 distinct security breaches that cumulatively led to losses approximating $51.61 million.

This sum, while substantial, is attributable to hacker attacks, phishing attempts, and Rug Pulls. Dissecting these figures further, direct attacks were responsible for about $28.33 million, Rug Pull schemes for nearly $12.02 million, and phishing activities accounted for close to $11.26 million.

Among the most alarming breaches in October was a $7 million pilfering from the Fantom Foundation’s wallet, a $6 million unauthorized withdrawal from Coins.ph, a Philippines-centric crypto exchange, and a theft of roughly $4.4 million from the acclaimed password management utility, LastPass.

Each of these infractions were connected to the compromising of private keys. Further adding to October’s list were numerous Rug Pull events, each surpassing the million-dollar threshold. One worth mentioning involved the Web3 game project, FinSoul. The project’s developer, Fintoch, had prior associations with deceitful undertakings.

Disclaimer

Any data, text, or other content on this page is provided as general market information and not as investment advice. Past performance is not necessarily an indicator of future results.

The Trust Project is a worldwide group of news organizations working to establish transparency standards.

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master’s degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Nik Asti