The decentralized finance (DeFi) sector was hit by the same vulnerability once again, read-only reentrancy, when Onyx Protocol, a Compound Finance fork, suffered a $2.1 million loss. This incident, marks yet another entry in a series of attacks leveraging the same vulnerability, that has hit notable names like Midas and many more in the past, with the cumulative losses now exceeding $10 million.
Behind the Breach
The exploit took advantage of a rounding error in the Compound v2 code, which under specific conditions, allows an attacker to manipulate empty markets to drain liquidity from the protocol. In Onyx's case, the vulnerability was triggered following the addition of a lending market for the memecoin PEPE, as per the governance's Proposal 22.
The attacker executed what is known as an 'empty market attack' by taking a flash loan, swapping it for PEPE, and then inflating the price of oPEPE by donating a large amount of PEPE to the pool. This overvaluation was then used as collateral to borrow other assets, ultimately draining the protocol’s liquidity. The profits, amounting to 1164 ETH, were funnelled through an intermediary address before most were deposited into Tornado Cash, with the remainder being distributed to on-chain panhandlers.
Lessons from the Incident
In response to the hack, Onyx Protocol has proposed a compensation plan to refund victims by selling native tokens from the treasury and pausing DAO contributors' salaries. However, this plan risks triggering a death spiral for the XCN token and misaligning team incentives.
When forking other projects it's vital to review the broader attack landscape as vulnerabilities that are not exploitable in the original project, might become exploitable due to the different market conditions the fork operates in.
You build the future. We help you secure it.