Hack Explained - Onyx Protocol 2

Hack Explained - Onyx Protocol 2

·

2 min read

Onyx Protocol, a decentralised finance (DeFi) application built as a fork of Compound Finance, was exploited on September 26, 2024, resulting in a loss of approximately $3.8 million. The breach stemmed from a known vulnerability in the Compound Finance v2 codebase, along with new input validation flaws in its non-fungible token (NFT) liquidation contract.

It’s not the first time Onyx fell victim to a high profile hack, check out here what happened almost a year ago: https://blog.rivanorth.com/onyx-protocol

Behind the Breach

The attacker exploited a known bug that allowed them to manipulate exchange rates within an empty market—a situation that typically arises when a new market is launched without sufficient liquidity​. The failure to implement adequate input validation in the NFT liquidation contract further enabled the attackers to inflate rewards from self-liquidations​.

Lessons from the Incident

Forking protocols like Compound Finance carries inherent risks, including the possibility of inheriting vulnerabilities from the original codebase, which can lead to significant security threats if not adequately addressed. In the case of the Onyx Protocol exploit, a known bug from Compound Finance was exploited, highlighting the importance of vigilance in security practices. Additionally, many forks fail to implement specific security measures tailored to their unique architecture, leaving them susceptible to attacks that exploit unmodified legacy code. Furthermore, launching new markets without thorough testing or security audits increases their vulnerability; attackers often target these newly introduced features, especially when liquidity is low. To mitigate these risks, DeFi protocols should conduct comprehensive security audits.


Rivanorth is a Web3 cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.

Visit rivanorth.com to find out more.

You build the future. We help you secure it.