Onyx Protocol Hack Explained: A Deeper Dive Into $2.1M Exploit

On November 1, 2023, Onyx Protocol, a fork of Compound Finance, fell prey to an attack, resulting in the loss of 1164 ETH ($2.1 million at the time of the attack). As we analyze the attack, we realize this was not just an isolated incident but a stark reminder of the inherent risks in the DeFi space. Let’s take a closer look at what happened and what we can learn from it.

Inside The Attack

The security flaw exploited in Onyx and other Compound forks—known as an “empty pool attack”—occurred due to a vulnerability in the Compound V2 code when initiating new, unfunded markets. Attackers took advantage of Onyx’s recently added, unfunded PEPE pool. The Onyx’s breach contributed to cumulative losses of over $10 million across similar platforms.

By minting oPEPE tokens in this empty pool and subsequently inflating their value through strategic donations, the attackers could borrow other assets against the overvalued oPEPE. They leveraged a rounding error in the protocol, which allowed them to redeem more than what was due, effectively draining the protocol’s resources.

Exploiter address: 0x085bdff2c522e8637d4154039db8746bb8642bff
Attack tx: 0xf7c21600…
Repeat exploiter address: 0x5083956303a145f70ba9f3d80c5e6cb5ac842706
Repeat-attack tx: 0x27a3788d…

The 1164 ETH profits, which amount to $2.1 million, were first transferred to an intermediary address, and then 1140 ETH were moved into Tornado Cash. In addition, the attacker shared a total of 19.5 ETH of the stolen funds with those who asked. Robin Hood vibes, anyone?

Onyx Protocol Losses

The total value locked (TVL) has been down 87% from $2.9M before the hack to $392K after the hack. This is a true cost of the lagging security. We call it double damage. Users rush to withdraw their funds after the exploit. The hack itself accounted for 1164 ETH, and then the protocol lost another 250 ETH due to a damaged reputation and market withdrawals.

Lessons Learned

1. Higher Decentralization: After the attack, the Onyx team started planning how to pay back the lost money. This could have been avoided if more people were involved in making decisions for the protocol. The protocol’s Proposal 22, which initiated the lending market for PEPE memecoin, had alarmingly low community participation, indicating the need for greater oversight.

2. Inherited Risks in Forking: Onyx’s troubles were magnified by its status as a fork of Compound Finance, which came with pre-existing vulnerabilities. These same vulnerabilities had been exploited in other forks like Hundred Finance and Midas Capital. It’s imperative for forks to not only inherit code but also to inherit the lessons from past exploits.

For enhanced security, Compound V2 forks should mint and then burn a number of cTokens when opening new markets, initially setting the collateral factor to zero to maintain a non-zero total supply, and subsequently adjusting the collateral factor to the desired level.

3. Importance of Audits and Security Measures: Despite being audited by Certik, Onyx fell through the cracks due to market-specific conditions. This underlines the importance of continuous security assessments that consider dynamic market conditions, not just static code analysis.

4. Stay Ahead of Hackers: The exploit highlights how attackers are often ahead of the curve, exploiting known vulnerabilities before teams can patch them. It’s a clear signal to DeFi projects to remain vigilant and proactive about security.

5. The Community’s Role: For larger protocols like Compound, community engagement often helps catch vulnerabilities. Onyx lacked this level of engagement, which could have provided an additional layer of security.

Conclusion

The Onyx Protocol hack serves as a wake-up call to the DeFi community. It teaches the importance of community vigilance, rigorous security practices, and the inherent risks of forking code. Moving forward, let’s use what happened to Onyx as a guide for making the world of DeFi safer for everyone.