DeFi protocol Onyx hit with a $3.2 million exploit, marking second attack within a year

Onyx, a fork of DeFi lending protocol Compound Finance, was hit with a $3.2 million on Thursday, marking the second time the protocol’s smart contract was exploited over the past year. 

According to security firm Fuzzland, a malicious contract was deployed to Onyx at 11:57 a.m., approximately five minutes before the attack occurred. Rival security firms PeckShield and Cyvers also noticed suspicious transactions on OnyxDAO, prior to the hack. 

Cyvers noted most of the losses were in VUSD, a U.S. dollar-denominated stablecoin. The suspected attacker also holds 521 ETH worth about $1.36 million and, according to Cyvers , has hesitated to swap the stolen assets. 

According to PeckShield, which pins the loss at closer to $3.8 million , the attacker attacked a known bug in the forked Compound V2 code base and was able to siphon VUSD, DAI and tether stablecoins, among other cryptocurrencies. 

“Another issue that facilitates the hack is related to the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount,” Peckshield wrote on X.

Last October, Onyx suffered a $2.1 million attack exploiting an integer rounding vulnerability and a flash loan attack. 

"Last year was due to a vulnerability introduced when they forked compromised Compound code. This time they introduced a vulnerability themselves via errors in their logic," Fuzzland founder Chaofan Shou told The Block in a message.