Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
TRON 
Cardano 
Lido Staked Ether 
Wrapped Bitcoin 
LEO Token 
Avalanche 
Chainlink 
Stellar 
Toncoin 
USDS 
Sui 
Shiba Inu 
Hedera 
Wrapped stETH 
Bitcoin Cash 
Litecoin 
Polkadot 
Hyperliquid 
Bitget Token 
Binance Bridged USDT (BNB Smart Chain) 
Ethena USDe 
Pi Network 
WETH 
WhiteBIT Coin 
Monero 
Wrapped eETH 
Uniswap 
Coinbase Wrapped BTC 
OKB 
Dai 
Pepe 
Aptos 
Gate 
Ondo 
Tokenize Xchange 
NEAR Protocol 
sUSDS 
BlackRock USD Institutional Digital Liquidity Fund 
Internet Computer 
Cronos 
Mantle 
Ethereum Classic 
Ethena Staked USDe 
Aave 
Bittensor 
Render 
VeChain 
Kaspa 
Cosmos Hub 
Lombard Staked BTC 
Fasttoken 
First Digital USD 
Ethena 
Algorand 
Filecoin 
Sonic (prev. FTM) 
POL (ex-MATIC) 
Official Trump 
Celestia 
Jupiter Perpetuals Liquidity Provider Token 
Arbitrum 
Solv Protocol SolvBTC 
KuCoin 
Artificial Superintelligence Alliance 
Maker 
XDC Network 
Binance Staked SOL 
Story 
Optimism 
Jupiter 
USDT0 
NEXO 
Flare 
Bonk 
Binance-Peg WETH 
Kelp DAO Restaked ETH 
Worldcoin 
Stacks 
EOS 
Sei 
Fartcoin 
Binance Bridged USDC (BNB Smart Chain) 
PayPal USD 
DeXe 
Polygon Bridged USDT (Polygon) 
Wrapped BNB 
Tether Gold 
Rocket Pool ETH 
Curve DAO 
Injective 
JasmyCoin 
The Graph 
Solv Protocol xSolvBTC 
PAX Gold 
Immutable 
Usual USD 
Movement 
Arbitrum Bridged WBTC (Arbitrum One) 
Onyxcoin 
Theta Network 
Helium 
GALA 
Mantle Staked Ether 
Jupiter Staked SOL 
The Sandbox 
Lido DAO 
Stables Labs USDX 
Raydium 
BitTorrent 
Marinade Staked SOL 
IOTA 
Kaia 
Ondo US Dollar Yield 
Walrus 
MANTRA 
Bitcoin SV 
Flow 
PancakeSwap 
FLOKI 
Jito 
Tezos 
Pendle 
Decentraland 
Renzo Restaked ETH 
Core 
Zcash 
TrueUSD 
Ethereum Name Service 
Pyth Network 
Sonic Bridged USDC.e (Sonic) 
Beldex 
pumpBTC 
SPX6900 
Bridged USDC (Polygon PoS Bridge) 
Kava 
Telcoin 
Berachain 
Grass 
Avalanche Bridged BTC (Avalanche) 
dYdX 
clBTC 
APENFT 
dogwifhat 
Reserve Rights 
StakeWise Staked ETH 
Solayer 
Binance-Peg Dogecoin 
USDB 
Hashnote USYC 
THORChain 
Virtuals Protocol 
OUSG 
MultiversX 
Mantle Restaked ETH 
eCash 
tBTC 
Olympus 
ether.fi Staked ETH 
Resolv USR 
NEO 
Brett 
Honey 
Compound 
L2 Standard Bridged WETH (Base) 
Conflux 
Axie Infinity 
Chiliz 
uBTC 
Starknet 
Super OETH 
Mantle Bridged USDT (Mantle) 
Aerodrome Finance 
Arbitrum Bridged WETH (Arbitrum One) 
Arweave 
ApeCoin 
Stargate Bridged USDC (Berachain) 
Infrared Bera 
USDD 
Sun Token 
Wormhole 
Binance-Peg BUSD 
Polygon 
Frax 
Terra Luna Classic 
AIOZ Network 
Trust Wallet 
Beam 
Saros 
WEMIX 
Plume 
Amp 
Pudgy Penguins 
Onyx Protocol, a Compound Finance fork, suffered a $3.8 million loss on Thursday to mark another entry in a series of attacks as bad actors explore system vulnerability.
Cyber-attacks continue to plague the crypto industry, highlighting the need for enhanced security.
$3.8 Million Hack Hits Onyx Protocol
Blockchain security firm PeckShield highlighted suspicious transactions on OnyxDAO, drawing attention to a possible attack on the protocol. In a follow-up post, the on-chain detective revealed losses reaching $3.8 million, indicating that the hacker was already swapping the funds.
Onyx Protocol Hack. Source: PeckShield
Web3 security firm Cyvers corroborated the incident, citing suspicious transactions involving OnyxDAO on the Ethereum blockchain. According to Cyvers, most of the loss was in VUSD stablecoin.
“Our system has detected a suspicious transaction involving OnyxDAO on the ETH chain! The total loss is around $3.2 million [at the time]. Most of the losses are in VUSD. Attacker currently holds 521 ETH ($1.36 million). The rest of the digital assets are not swapped yet,” Cyvers wrote.
Additional investigations by PeckShield revealed that the attacker capitalized on a known precision issue presented as a bug in the forked Compound V2 code base. They then siphoned 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT. Reportedly, the bug leveraged a nearly empty market to manipulate the exchange rate.
Notably, hackers used the same approach in October 2023, hacking the same protocol for $2.1 million. In the October incident, the vulnerability was a rounding error. At the time, researchers ascribed the vulnerability to Onyx Protocol being a fork of Compound Finance.
How the Code Vulnerability Occurs
With many DeFi protocols being open-source, developers tend to avoid the long approach. They opt to build off of an existing code as opposed to implementing functionality from scratch.
The approach is considered popular as it can improve efficiency and security when done correctly. The downside is that if the template code is not secure, the fork may inherit the vulnerabilities.
“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited,” security firm Halborn reported.
This means the Onyx Protocol hack could have been prevented, given the prevalence of rounding errors. Notably, guidance already exists when launching new markets on Compound Finance and its forks.
“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation,” security firm Hexgate guided in April 2023.
These incidences, including a $4.6 million attack on decentralized infrastructure Truflation on Wednesday, reflect the prevalent challenge in the crypto industry, where bad actors use different mechanisms to steal digital assets.
