On November 1, 2023, Onyx Protocol, a fork of Compound Finance, fell prey to an attack, resulting in the loss of 1164 ETH ($2.1 million at the time of the attack). As we analyze the attack, we realize this was not just an isolated incident but a stark reminder of the inherent risks in the DeFi space. Letβs take a closer look at what happened and what we can learn from it.
Inside The Attack
The security flaw exploited in Onyx and other Compound forksβknown as an βempty pool attackββoccurred due to a vulnerability in the Compound V2 code when initiating new, unfunded markets. Attackers took advantage of Onyxβs recently added, unfunded PEPE pool. The Onyxβs breach contributed to cumulative losses of over $10 million across similar platforms.
By minting oPEPE tokens in this empty pool and subsequently inflating their value through strategic donations, the attackers could borrow other assets against the overvalued oPEPE. They leveraged a rounding error in the protocol, which allowed them to redeem more than what was due, effectively draining the protocolβs resources.
The 1164 ETH profits, which amount to $2.1 million, were first transferred to an intermediary address, and then 1140 ETH were moved into Tornado Cash. In addition, the attacker shared a total of 19.5 ETH of the stolen funds with those who asked. Robin Hood vibes, anyone?
Onyx Protocol Losses
The total value locked (TVL) has been down 87% from $2.9M before the hack to $392K after the hack. This is a true cost of the lagging security. We call it double damage. Users rush to withdraw their funds after the exploit. The hack itself accounted for 1164 ETH, and then the protocol lost another 250 ETH due to a damaged reputation and market withdrawals.
Lessons Learned
1. Higher Decentralization: After the attack, the Onyx team started planning how to pay back the lost money. This could have been avoided if more people were involved in making decisions for the protocol. The protocolβs Proposal 22, which initiated the lending market for PEPE memecoin, had alarmingly low community participation, indicating the need for greater oversight.
2. Inherited Risks in Forking: Onyxβs troubles were magnified by its status as a fork of Compound Finance, which came with pre-existing vulnerabilities. These same vulnerabilities had been exploited in other forks like Hundred Finance and Midas Capital. Itβs imperative for forks to not only inherit code but also to inherit the lessons from past exploits.
For enhanced security, Compound V2 forks should mint and then burn a number of cTokens when opening new markets, initially setting the collateral factor to zero to maintain a non-zero total supply, and subsequently adjusting the collateral factor to the desired level.
3. Importance of Audits and Security Measures: Despite being audited by Certik, Onyx fell through the cracks due to market-specific conditions. This underlines the importance of continuous security assessments that consider dynamic market conditions, not just static code analysis.
4. Stay Ahead of Hackers: The exploit highlights how attackers are often ahead of the curve, exploiting known vulnerabilities before teams can patch them. Itβs a clear signal to DeFi projects to remain vigilant and proactive about security.
5. The Communityβs Role: For larger protocols like Compound, community engagement often helps catch vulnerabilities. Onyx lacked this level of engagement, which could have provided an additional layer of security.
Conclusion
The Onyx Protocol hack serves as a wake-up call to the DeFi community. It teaches the importance of community vigilance, rigorous security practices, and the inherent risks of forking code. Moving forward, letβs use what happened to Onyx as a guide for making the world of DeFi safer for everyone.
The blockchain industry has been grappling with scalability issues, which have hindered widespread adoption due to its technical constraints. As the demand for blockchain, decentralized applications (dApps), and transactions increases, the limitations of existing networks become increasingly apparent. High transaction fees and network congestion have plagued platforms like Ethereum, hampering their ability to support large-scale
The experimental semi-fungible token standard, ERC-404, combines elements from ERC-20 and ERC-721 tokens. Despite rising popularity, it has yet to secure an official Ethereum Improvement Proposal (EIP) designation. However, its unique attributes, such as enabling fractional ownership of NFTs and enhancing liquidity, coupled with the potential for automated NFT minting and burning processes, suggest a
Decentralized applications (dApps) are software that run on a decentralized network, often using blockchain technology. These applications can serve various purposes for end users, such as brokers, art collectors, traders, investors, and documents of public trust. However, their functionality and value attract malicious groups aiming to exploit vulnerabilities for financial gain. This article explores real-world examples of dApp security breaches, their attack vectors, and the lessons learned.