Onyx Protocol, a decentralized finance (DeFi) platform that allows users to earn interest on their crypto assets, was hacked on November 1, 2023. The attacker exploited a rounding issue in the protocol’s code and drained over $2.1 million worth of Ethereum (ETH) and PEPE tokens.
According to BlockSec, a security firm that analyzed the incident, the attacker used a flash loan of a large amount of ETH to manipulate the exchange rate of PEPE, a meme token that is part of Onyx’s ecosystem. The attacker then swapped the PEPE tokens for ETH at an inflated rate, resulting in a profit of more than $2.1 million.
The exploit was possible due to a “precision loss” vulnerability in Onyx’s codebase, which originated from an older forked version of Compound V2, a popular DeFi lending protocol. The vulnerability allowed the attacker to withdraw more ETH than they should have by burning fewer shares of the pool.
Onyx is the Latest DeFi Protocol to Fall Victim to an Exploit
The attacker has since sent 700 ETH ($1.25 million) to Tornado Cash, a service that provides anonymity for Ethereum transactions. The remaining funds are still in the attacker’s wallet.
Onyx Protocol has not issued any official statement on the exploit yet. The protocol’s website and Twitter account are currently offline. The protocol’s users are advised to withdraw their funds as soon as possible.
This is not the first time that a DeFi protocol has been exploited due to a rounding issue. In December 2022, Hundred Finance, another DeFi lending platform, lost $1.3 million in a similar attack.
The incident highlights the need for more rigorous security audits and testing for DeFi protocols, especially those that fork or copy code from other projects. DeFi users should also exercise caution and do their own research before investing in any new or unverified protocol.
