Rob Behnke
November 7th, 2023
In October 2023, the Onyx Protocol, a fork of Compound Finance, suffered a hack. The attackers took advantage of a known vulnerability in the protocol — that has been exploited multiple times in similar projects — to drain it of $2.1 million.
The Onyx Protocol’s woes stem from the fact that it is a fork of Compound Finance. Many DeFi protocols are open-source, enabling developers to avoid implementing functionality from scratch and, instead, build off of existing code. While this approach of not reinventing the wheel is often considered design best practice — since it can improve efficiency and security if done correctly — this does come with some caveats.
One of these caveats is to ensure that the code being copied is secure and to fix any vulnerabilities that arise after the fork. In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited.
The vulnerability in question is a rounding error that can be exploited by taking advantage of empty markets. Such a market was created with the creation of a pool for the memecoin PEPE that was recently added to the Onyx Protocol.
The attacker mints some tokens (oPEPE) in this empty market and then donates to its pool, inflating the perceived value of the oPEPE tokens. The attacker then uses this incorrect exchange rate to borrow some other against their oPEPE. Upon redemption, the routing error is exploited, enabling the attacker to drain value from the protocol.
The Onyx Protocol attack is a classic example of a preventable hack. The rounding error is a well-known issue, and guidance has been provided when launching new markets on Compound Finance and its forks.
For more established versions of the protocol, like Compound Finance, the community monitors proposals to identify ones like the one that created the PEPE empty market. However, Proposal 22, which created the vulnerability, only received 11 votes, mostly from a single address.
The Onyx Protocol hack was made possible by a combination of a programming error and a lack of community involvement.
For more information on protecting your blockchain project against potential attacks, get in touch with Halborn.