Onyx Protocol’s Rerun of Exploits: Another $3.8M Lost

In the unpredictable world of DeFi, one truth remains constant: when vulnerabilities are left unchecked, disaster is never far behind. Onyx Protocol, a fork of Compound v2, has just become the latest proof of this, suffering its second major exploit in less than a year. This time, a staggering $3.8 million was siphoned off by a hacker who used the same vulnerability that had previously plagued the protocol. The lesson? Lightning can strike twice—especially if you’re standing in the same place with a metal rod.

So, what went wrong this time? And why has Onyx failed to learn from its past mistakes? Let’s dive into the details of this latest exploit and how DeFi space is grappling with these recurring issues.


The Exploit: A Familiar Playbook

In what feels like a DeFi déjà vu, latest Onyx exploit unfolded with remarkable precision- similar vulnerability exposed last year. The attack began with a 2,000 ETH flash loan from Balancer, a move straight out of the DeFi playbook. Using this loan, the hacker manipulated Onyx’s oEther contract, exploiting a vulnerability in its exchange rate calculations.

By repeatedly minting and redeeming oETH in minuscule amounts—fractions of a single Ether—the hacker sent the exchange rate into disarray. This allowed them to siphon off assets, including VUSD, XCN, DAI, WBTC, and USDT, over the course of 56 rapid transactions.

The flaw here was a known issue in Compound v2 forks: the asset’s exchange rate becomes highly volatile when liquidity is low, creating an opportunity for precision manipulation. In short, Onyx had left the door wide open, and the hacker didn’t hesitate to walk through it.

Exploiter Address: 0x680910cf5Fc9969A25Fd57e7896A14fF1E55F36B
Attack Transaction: 0x46567c731c4f4f7e27c4ce591f0aebdeb2d9ae1038237a0134de7b13e63d8729
Attack Contract: 0xAE7d68b140Ed075E382e0A01d6c67ac675AFa223


A DeFi Disaster in Slow Motion

While the hacker was minting and draining millions from the protocol, Cyvers—a blockchain security firm—was one of the first to raise the alarm, tweeting:

“Our system has detected suspicious transactions involving Onyx DAO on the ETH chain! Total loss is around $3.8M.”

Unfortunately, it took four hours for Onyx to issue a public response. By the time they acknowledged the exploit, the damage had already been done. As blockchain detectives pieced together the crime scene, it became clear that this was not just a random occurrence—it was a rerun of last year’s exploit, with the same vulnerability being used to drain the protocol’s vaults.

Despite the belated response, Onyx scrambled to contain the fallout, shutting down the affected markets. However, by then, the hacker had made off with the following:

  • 4.1M VUSD
  • 7.35M XCN
  • 5K DAI
  • 0.23 WBTC
  • 50K USDT

It’s a troubling case of “fool me twice,” as Onyx fell victim to a vulnerability that had already been identified and exploited in the past.


Learning from Mistakes—or Not?

This isn’t just a story of bad luck—it’s a tale of negligence. Onyx had been audited by CertiK back in January 2022, but there’s been little evidence of follow-up audits or meaningful updates to patch vulnerabilities since then. Instead, the protocol continued to roll out new markets, like VUSD, without conducting comprehensive security reviews, effectively inviting further exploits.

Worse still, Peckshield discovered an additional vulnerability in Onyx’s NFTLiquidation contract, which allowed the attacker to inflate liquidation rewards, giving them another avenue to exploit the protocol. This oversight piled on top of the already glaring exchange rate issue, turning the exploit into a full-scale disaster.


The Bigger Picture: Is DeFi Moving Too Fast?

Onyx’s repeated failure raises broader questions about the pace of innovation in DeFi. With new projects launching at a breakneck speed, security can often take a backseat to growth and development. As Onyx’s misfortune shows, the result can be devastating.

In a space driven by the “move fast and break things” ethos, Onyx stands as a cautionary tale. The introduction of new markets without sufficient audits has turned the protocol into a playground for exploiters.

As we’ve seen time and again, it’s not enough to launch a new feature or protocol—without a focus on security, DeFi projects risk falling into the same trap.


Conclusion: Fool Me Twice, Shame on DeFi?

Onyx Protocol’s latest exploit paints a grim picture of a DeFi landscape where known vulnerabilities go unpatched, and projects appear unwilling—or unable—to learn from past mistakes. In the grand tapestry of DeFi exploits, Onyx is weaving a story of negligence and repeated failure.

With $3.8 million lost in a familiar attack, the question remains: how many times will Onyx be bitten before it learns? More importantly, how many other DeFi projects are operating with similar vulnerabilities, waiting for the next exploit?

In a world where code is law, Onyx has proven that even when the rules are clear, the cost of ignoring them can be catastrophic. For now, Onyx remains in the “fool me twice” club, proving that in DeFi, lightning can indeed strike the same place twice.

Reviews

0 %

User Score

0 ratings
Rate This

Sharing

Leave your comment