Explained: The Onyx Protocol Hack (October 2023)

- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

In October 2023, the Onyx Protocol, a fork of Compound Finance, suffered a hack. The attackers took advantage of a known vulnerability in the protocol — that has been exploited multiple times in similar projects — to drain it of $2.1 million.

Inside the Attack

The Onyx Protocol’s woes stem from the fact that it is a fork of Compound Finance. Many DeFi protocols are open-source, enabling developers to avoid implementing functionality from scratch and, instead, build off of existing code. While this approach of not reinventing the wheel is often considered design best practice — since it can improve efficiency and security if done correctly — this does come with some caveats.

One of these caveats is to ensure that the code being copied is secure and to fix any vulnerabilities that arise after the fork. In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited.

The vulnerability in question is a rounding error that can be exploited by taking advantage of empty markets. Such a market was created with the creation of a pool for the memecoin PEPE that was recently added to the Onyx Protocol.

The attacker mints some tokens (oPEPE) in this empty market and then donates to its pool, inflating the perceived value of the oPEPE tokens. The attacker then uses this incorrect exchange rate to borrow some other against their oPEPE. Upon redemption, the routing error is exploited, enabling the attacker to drain value from the protocol.

Lessons Learned from the Attack

The Onyx Protocol attack is a classic example of a preventable hack. The rounding error is a well-known issue, and guidance has been provided when launching new markets on Compound Finance and its forks.

For more established versions of the protocol, like Compound Finance, the community monitors proposals to identify ones like the one that created the PEPE empty market. However, Proposal 22, which created the vulnerability, only received 11 votes, mostly from a single address.

The Onyx Protocol hack was made possible by a combination of a programming error and a lack of community involvement.

For more information on protecting your blockchain project against potential attacks, get in touch with Halborn.

Explained: The Onyx Protocol Hack (October 2023)

Inside the Attack

Lessons Learned from the Attack

Related Blog Posts

Disclaimer