Nov 2023 - Onyx Protocol PEPE Market Donation - $2.1m (Global)
"The Backbone of Decentralised Web3 Protocols"
"Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network.
Onyx enables investors to lend and/or borrow cryptocurrencies, by pledging the platform an over-collateralized amount of cryptocurrency. Onyx does this by utilizing money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand of each asset.
Users who choose to supply liquidity to Onyx earn compounded interest as rewards for supplying their assets to the protocol. When supplying assets, users are also given the ability to mint stable-coins, or borrow other assets against their supplied assets. Once a user has supplied assets to Onyx, the user can then borrow assets or mint stable-coins, by over-collateralizing and paying interest on the amount borrowed.
Loans from the Onyx protocol do not have monthly payments, late fees, and can be paid off at any time. Onyx is able to do this without ever requiring a credit check, with near immediate origination, using smart contracts that provide an automated, and absolutely transparent system for investment and profit distribution.
Onyx also provides loans for CryptoPunks and BAYC. NFT holders can leverage their idle NFTs to obtain loans and earn extra yield."
"In Onyx’ case, governance had recently voted through Proposal 22 to add a lending market for memecoin PEPE to the protocol." "Onyx Protocol Deployment: Onyx Protocol introduced the "oPEPE" market with no initial liquidity."
"many of the findings during their audit were acknowledged instead of fixed. There is no point in reaching out to security researchers if you do not listen to their advice."
"The exact same attack vector has hit two other forks, Hundred Finance and Midas Capital (themselves both repeat leaderboard entrants), already this year, tipping the total lost to this bug over the $10M mark."
"Onyx Protocol Deployment: Onyx Protocol introduced the "oPEPE" market with no initial liquidity just five days before the exploit."
"Rounding Issue Exploited: Attackers leveraged a known rounding issue from the CompoundV2 fork, affecting how numbers are handled in oPEPE's smart contracts."
"Donation and Borrowing: Attackers initiated the exploit by making a small donation to oPEPE, enabling them to borrow substantial assets from liquid markets."
"Exploitative Redemption: The critical step was the attackers exploiting the rounding issue when redeeming borrowed assets, resulting in significant profit."
"Similar to Past Hack: This technique resembled the one used in the Hundred Finance hack, suggesting a shared vulnerability in the CompoundV2 fork."
"In the process of the Onyx Protocol exploit, the attacker executed a series of complex swaps to obfuscate their actions and facilitate the theft of funds."
"Compound fork @OnyxProtocol lost $2.1M on Tuesday, to a high-profile, well-known vulnerability. Many protocols have fallen victim to repeated vulnerabilities so far this year. Are devs paying attention?"
"The @OnyxProtocol experienced an exploit. Fund loss is 1,163.53 ETH ~$2.1mln. We are aware of the situation, closed the vulnerability, and working on the consequences with our partners."
Further Analysis
Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On November 1st, 2023, they introduced a new market for the PEPE meme coin. Unfortunately, this market lacked liquidity, and a rounding error in the liquidity smart contract enabled an attacker to exploit and walk off with $2.1m USD. Plans were ultimately made to reimburse users via a third party acquisition of the platform.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Wall Street Memes Staking Contract Exploited > > < < Wall Street Memes Discord Hack
Sources/Further Reading
Rekt - Onyx Protocol - REKT (Dec 31)
The Backbone of Decentralised Web3 Protocols (Dec 31)
Onyx Documentation | Onyx Protocol (Dec 31)
@RektHQ Twitter (Dec 31)
@peckshield Twitter (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
@al_onyxprotocol Twitter (Dec 31)
@KeyBoxAI Twitter (Dec 31)
@Securrtech Twitter (Dec 31)
@al_onyxprotocol Twitter (Dec 31)
Recovery Proposal 3 of 3: Reduce inflation and launch the v2 Onyx Money Market Protocol - Updates - Onyx Community (Dec 31)
@PeckShieldAlert Twitter (Dec 31)
@hackenclub Twitter (Dec 31)
@Phalcon_xyz Twitter (Dec 31)
@al_onyxprotocol Twitter (Dec 31)
@PeckShieldAlert Twitter (Dec 31)
@peckshield Twitter (Dec 31)
@al_onyxprotocol Twitter (Dec 31)
@al_onyxprotocol Twitter (Dec 31)
@CyversAlerts Twitter (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
@ddimitrovv22 Twitter (Dec 31)
@freedomonfire Twitter (Dec 31)
@VeridiseInc Twitter (Dec 31)
@HudsonEstell1 Twitter (Dec 31)
@_true_mr_robot Twitter (Dec 31)
@Coin_CRUXX Twitter (Dec 31)
@MetaTrustAlert Twitter (Dec 31)
@lazinwest Twitter (Dec 31)
@web3_watchdog Twitter (Dec 31)
@chngvr52 Twitter (Dec 31)
@BeingSatoshi Twitter (Dec 31)
@alphador_ai Twitter (Dec 31)
@Ayman_Tweets Twitter (Dec 31)
@The_CryptoPost Twitter (Dec 31)
@Haiderali_eth Twitter (Dec 31)
@n3120_t Twitter (Dec 31)
@kexleyBeefy Twitter (Dec 31)
@ImmuneBytes Twitter (Dec 31)
@ramrajtweetz Twitter (Dec 31)
@BtcNewsBiz Twitter (Dec 31)
@CryptoPost_ESP Twitter (Dec 31)
@0x_homer Twitter (Dec 31)
@OKLink Twitter (Dec 31)
@hackenclub Twitter (Dec 31)
@De_FiSecurity Twitter (Dec 31)
@veriti_global Twitter (Dec 31)
@CyversAlerts Twitter (Dec 31)
@MetaTrustAlert Twitter (Dec 31)
@blockjournal Twitter (Dec 31)
@AuditaSecurity Twitter (Dec 31)
@leshka_eth Twitter (Dec 31)
@cassyjnr Twitter (Dec 31)
@hake_stake Twitter (Dec 31)
@CyberSec84 Twitter (Dec 31)
@DanielSlothx Twitter (Dec 31)
@CryptoGeek1987 Twitter (Dec 31)
@web3_watchdog Twitter (Dec 31)
@Cyberscope_io Twitter (Dec 31)
@quillaudits_ai Twitter (Dec 31)
@d3ploy_ Twitter (Dec 31)
@hackenclub Twitter (Dec 31)
@johnmorganFL Twitter (Dec 31)
@InspexCo Twitter (Dec 31)
@web3_watchdog Twitter (Dec 31)
@bhumharit Twitter (Dec 31)
@CryptoHunterQ Twitter (Dec 31)
@oakchain_ Twitter (Dec 31)
@CryptoRu_off Twitter (Dec 31)
@CyversAlerts Twitter (Dec 31)
@EthPub Twitter (Dec 31)
@InspexCo Twitter (Dec 31)
@Bitrace_team Twitter (Dec 31)
@protectmywallet Twitter (Dec 31)
@JuratNetwork Twitter (Dec 31)
@TechRightio Twitter (Dec 31)
@web3_watchdog Twitter (Dec 31)
@cryptotalemedia Twitter (Dec 31)
@BTCTN Twitter (Dec 31)
@hapi_labs Twitter (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|