TL;DR#
On November 1, 2023, the Onyx Protocol was exploited on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of 1,164 ETH, worth approximately $2,100,794.
Introduction to Onyx#
Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on the Ethereum Network.
Vulnerability Assessment#
The root cause of the exploit is a precision loss vulnerability. The attack vector is a known issue on all of the CompoundV2 forks.
The attack is similar to the earlier exploit on Hundred Finance, which suffered a loss of approximately $7 million. Midas Capital was also exploited due to the same issue, resulting in a loss of $600,000. Essentially, the exploiter targeted empty pools that lacked lending activity, thereby gaining control over the liquidity.
Steps#
Step 1:
We attempt to analyze one of the attack transactions executed by the exploiter.
Step 2:
The exploited oPEPE market was deployed five days ago, prior to the attack, without any liquidity.
Step 3:
The attacker took a flash loan of 4,000 ETH, converted it to PEPE tokens, and then contributed PEPE tokens to this empty pool.
Step 4:
This empty market and a substantial donation caused the market to be biased, allowing the attacker to borrow funds from other markets with liquidity.
Step 5:
The rounding error was then exploited to redeem the donated PEPE tokens. The borrowed flash loan was repaid, and the attacker took the remaining funds as profit.
Step 6:
The exploiter has since laundered the stolen assets worth 1,130 ETH to Tornado Cash.
Aftermath#
The community leader of Onyx acknowledged the occurrence of the exploit and stated that the total loss due to this incident is 1,163.53 ETH, worth approximately $2.1 million. The team has isolated the vulnerability and is working on the consequences with their partners.
The exploit didn't affect the XCN token and its contract, the XCN staking pool, or the Uniswap trading pools.
Solution#
In light of the recent exploit on the Onyx Protocol, several security considerations have been brought to the fore, especially concerning the CompoundV2 fork. These considerations will significantly mitigate the risk of such vulnerabilities and secure the ecosystem.
One of the critical aspects to be vigilant about is extreme situations. For instance, during market initialization and periods of market illiquidity, there's an increased vulnerability. This is because empty pools or those with minimal activity are prime targets for attackers. To counteract this, it is recommended that markets reserve a small amount of shares upon their initialization. This simple action can act as a buffer, preventing manipulation by malicious actors who might seek to take advantage of an otherwise empty pool.
Furthermore, the importance of conducting strict audits of proposals cannot be overstated. With the decentralized nature of these protocols, it's essential to ensure that every proposal undergoes thorough scrutiny to prevent any malicious proposals from being approved. This requires not only an advanced understanding of the underlying smart contracts but also foresight into potential attack vectors.
To add another layer of security, setting up robust monitoring systems and pausing or blocking contracts for potential attacks is crucial. A real-time monitoring system can alert the team to any unusual or suspicious activities. By having such a system in place, immediate action can be taken to halt any activities that resemble known attack patterns or any other anomalies.
Lastly, for those operating a Compound V2 fork, it's imperative to ensure there are no pools without liquidity on any chain. These liquidity-less pools are simple to manipulate, which can result in sizable losses, as the most recent exploit demonstrated. By ensuring every pool has sufficient liquidity, this particular attack vector is neutralized.
However, even with the most rigorous security measures, there's always a risk of unforeseen vulnerabilities. This inherent unpredictability highlights the need for robust protective measures, akin to what we offer at Neptune Mutual. Had the team associated with Onyx Protocol collaborated with us in setting up a dedicated cover pool in advance, the financial aftermath of the exploit might have been considerably mitigated. Our cover pools act as financial lifelines, offering users a mechanism to rebound from potential financial downturns due to smart contract vulnerabilities.
By partnering with Neptune Mutual, users are relieved from the often intricate task of furnishing exhaustive evidence of their financial losses. As soon as an incident is verified and resolved through our incident management framework, our foremost priority shifts to the swift disbursement of claims. This ensures timely financial assistance for the impacted parties.
With our operations spanning across multiple blockchain networks, including Ethereum, Arbitrum, and the BNB chain, we're devoted to providing our protective services to a broad spectrum of DeFi enthusiasts. Our steadfast commitment to user safety instills trust in the DeFi sector, particularly following significant security lapses like the Onyx exploit.
Reference Source BlockSec
