Onyx, a DeFi protocol that is a fork of the popular Compound Finance, has been hit by a $3.2 million exploit on Thursday. This incident marks the second significant attack on the protocol in just over a year.
According to security firm Fuzzland, a malicious contract was deployed to Onyx at 11:57 a.m., just five minutes before the exploit was executed. Competing firms PeckShield and Cyvers also detected suspicious activity on OnyxDAO prior to the hack.
Firms like PeckShield have estimated the total loss to be closer to $3.8 million. The exploit targeted a recognized bug in the forked Compound V2 code base, allowing the attacker to siphon off various stablecoins including VUSD, DAI, and Tether.
According to PeckShield, the hack was facilitated by issues within the NFTLiquidation contract, which failed to properly validate user input, thus inflating the self-liquidation rewards.
This is not the first time Onyx has faced such vulnerabilities. Last October, the protocol experienced a $2.1 million attack due to an integer rounding vulnerability along with a flash loan exploit. Fuzzland's founder, Chaofan Shou, highlighted that the previous attack stemmed from vulnerabilities introduced during the Compound code fork, while this latest incident resulted from errors in Onyx's own logic.
This ongoing challenge underscores the persistent security issues within the crypto ecosystem, especially among DeFi projects.
