Original | Odaily Planet Daily ( @OdailyChina )
Author | Vincent31515173 ( @vincent31515173 )
Yesterday, the lending platform Onyx Protocol was attacked by hackers using a vulnerability, resulting in a loss of over $3.8 million. The stolen funds include 13 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT.
CoinGecko data shows that VUSD immediately unanchored, dropping to a low of $0.2757, with a 72.43% decrease in 24 hours. As of the time of writing, VUSD is still unanchored but has risen to $0.7228, narrowing the 24-hour decline to 28.3%.
Onyx Protocol has proposed OIP-46 to address the stolen funds, suggesting a restart of the open-source licensed financial network Onyx Core as the main product, along with XCN Staking to ensure the governance of Onyx Core and rewards for Onyx Stakers.
According to the proposal, Onyx Protocol will operate a closed-loop lending protocol on Onyx Core, allowing users to package and lend NFTs and real-world assets (RWA), while supporting encrypted assets from multiple chains. This will close the Ethereum-based lending market and fully compensate all affected users, paying their assets at a 1:1 ratio.
Event Review
On September 26 at 20:48, security company Cyvers Platform posted on X, stating that its system detected suspicious transactions involving Onyx, with losses potentially reaching $3.2 million.
At 21:55 on the same day, security company PeckShield posted on X, stating that the funds taken included 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT.
Subsequently, the VUSD official announcement stated: "Encountered a security vulnerability, resulting in over $13 million VUSD being stolen. The hacker then sold the stolen VUSD to the liquidity pool, resulting in a secondary market liquidity loss of approximately $1.5 million. After the incident, the smart contract has been suspended for proper communication. Currently, it is confirmed that the VUSD codebase and reserves have no vulnerabilities. Malicious actors will be blacklisted according to the terms of service. After the investigation, the VUSD smart contract service will be restored, and participants can continue arbitrage."
The official statement mentioned that VUSD is still fully supported by over-collateralized assets, and institutional users can redeem and mint VUSD at market prices. VUSD is working with Onyx DAO and relevant authorities to identify the attackers and plans to explore the licenses required for future retail redemption.
Why was Onyx Protocol hacked?
Security company PeckShield stated that the issue that facilitated the hacker attack was related to the NFT liquidation contract, which failed to properly verify (untrusted) user input, resulting in an artificially inflated self-liquidation reward amount.
OnyxProtocol quoted PeckShield regarding the "hacker using NFTLiquidation contract vulnerability attack," stating that the hacker used the protocol to withdraw VUSD, and this vulnerability can be identified and understood from a security flaw in the NFT liquidation contract. The main issue is not an empty market, but the NFT Liquidation contract, and XCN pledging and XCN Farming were not affected.
Well-known security company CertiK told Odaily Planet Daily: "Onyx Protocol's liquidation contract did not verify the oTokenCollateral and oTokenRepay addresses passed by the user. In simple terms, the attacker deceived the Onyx protocol into thinking that they had repaid the debt through a malicious contract they deployed, thus reclaiming all collateral without repaying the debt."
PeckShield also mentioned that the reason for Onyx's theft may be related to a known precision issue in the CompoundV2 codebase, which the attacker exploited. CertiK also stated that the "Empty Market Vulnerability" caused by the precision loss issue in Compound V2 has been a known problem that has been attacked multiple times, with Hundred Finance last year and Sonne Finance in May this year being attacked due to precision loss.
An investigation by Odaily Planet Daily found that Onyx was also hacked in November last year for the same reason, where the hacker exploited a known rounding issue behind the Compound V2 fork version. However, at that time, Onyx community leader Alex stated that the vulnerability had been fixed and was being handled with partners.
It is reported that Onyx Protocol is an on-chain lending platform in the Ethereum ecosystem, aiming to provide a lending market for tokens and NFTs, with the token part possibly referencing the code of Compound V2 during the development process, making it a fork of Compound V2. However, at that time, the code of Compound V2 had precision issues, and Compound itself has since addressed the issue, but projects forked before that were unable to avoid related problems.
Odaily Planet Daily will continue to follow up on the progress of Onyx Protocol after the theft.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
