Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
TRON 
Lido Staked Ether 
Dogecoin 
Figure Heloc 
Cardano 
Bitcoin Cash 
Wrapped stETH 
Monero 
WhiteBIT Coin 
Wrapped Bitcoin 
Wrapped Beacon ETH 
Wrapped eETH 
USDS 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
LEO Token 
WETH 
Stellar 
Coinbase Wrapped BTC 
Sui 
Zcash 
Ethena USDe 
Litecoin 
Avalanche 
Hyperliquid 
Canton 
Shiba Inu 
Hedera 
World Liberty Financial 
sUSDS 
USDT0 
Dai 
Toncoin 
Cronos 
Ethena Staked USDe 
PayPal USD 
USD1 
Polkadot 
Uniswap 
Mantle 
Rain 
MemeCore 
Bittensor 
Aave 
Bitget Token 
Pepe 
Tether Gold 
OKB 
NEAR Protocol 
Falcon USD 
Jito Staked SOL 
Ethereum Classic 
Binance-Peg WETH 
PAX Gold 
BlackRock USD Institutional Digital Liquidity Fund 
Pi Network 
Internet Computer 
Ethena 
Aster 
Solana 
POL (ex-MATIC) 
HTX DAO 
Jupiter Perpetuals Liquidity Provider Token 
Binance Staked SOL 
Circle USYC 
Global Dollar 
Worldcoin 
KuCoin 
Pump.fun 
syrupUSDC 
Ripple USD 
Aptos 
BFUSD 
Wrapped BNB 
Provenance Blockchain 
Sky 
Binance Bridged USDC (BNB Smart Chain) 
Rocket Pool ETH 
Kaspa 
Render 
Cosmos Hub 
Ondo 
Gate 
Arbitrum 
Algorand 
Kelp DAO Restaked ETH 
MYX Finance 
Midnight 
Filecoin 
Official Trump 
Story 
Bridged Wrapped Lido Staked Ether (Scroll) 
Lombard Staked BTC 
Function FBTC 
VeChain 
Solv Protocol BTC 
NEXO 
Flare 
USDD 
Bonk 
XDC Network 
Janus Henderson Anemoy AAA CLO Fund 
USDtb 
Mantle Staked Ether 
Liquid Staked ETH 
OUSG 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
WrappedM by M^0 
Sei 
Polygon Bridged USDC (Polygon PoS) 
Pudgy Penguins 
Arbitrum Bridged WBTC (Arbitrum One) 
clBTC 
Morpho 
Stacks 
Renzo Restaked ETH 
Ondo US Dollar Yield 
Jupiter Staked SOL 
Beldex 
USDai 
Jupiter 
syrupUSDT 
Wrapped Flare 
PancakeSwap 
Artificial Superintelligence Alliance 
StakeWise Staked ETH 
Virtuals Protocol 
L2 Standard Bridged WETH (Base) 
Polygon PoS Bridged DAI (Polygon POS) 
Optimism 
Tezos 
Spiko EU T-Bills Money Market Fund 
Curve DAO 
Arbitrum Bridged WETH (Arbitrum One) 
Kinetiq Staked HYPE 
Usual USD 
tBTC 
Lighter 
SPX6900 
Chiliz 
Lido DAO 
Aerodrome Finance 
Dash 
Injective 
GHO 
First Digital USD 
GTETH 
TrueUSD 
FLOKI 
Marinade Staked SOL 
Ether.fi 
Fasttoken 
Celestia 
Ether.Fi Liquid ETH 
Steakhouse USDC Morpho Vault 
Maple Finance 
Stader ETHx 
The Graph 
Coinbase Wrapped Staked ETH 
AB 
JasmyCoin 
sBTC 
BitTorrent 
USDB 
Starknet 
Wrapped ApeCoin 
Staked Aave 
IOTA 
DoubleZero 
JUST 
Sun Token 
River 
Ethereum Name Service 
Conflux 
Bitcoin SV 
Wrapped STX (Velar) 
Pyth Network 
dogwifhat 
Onyxcoin 
Gnosis 
Trust Wallet 
Fartcoin 
AINFT 
Cap USD 
crvUSD 
Kaia 
EURC 
Pendle 
Telcoin 
Avalanche Bridged BTC (Avalanche) 
Kinesis Gold 
Olympus 
Binance-Peg Dogecoin 
c8ntinuum 
Onyx Protocol, a Compound Finance fork, suffered a $3.8 million loss on Thursday to mark another entry in a series of attacks as bad actors explore system vulnerability.
Cyber-attacks continue to plague the crypto industry, highlighting the need for enhanced security.
$3.8 Million Hack Hits Onyx Protocol
Blockchain security firm PeckShield highlighted suspicious transactions on OnyxDAO, drawing attention to a possible attack on the protocol. In a follow-up post, the on-chain detective revealed losses reaching $3.8 million, indicating that the hacker was already swapping the funds.
Onyx Protocol Hack. Source: PeckShield
Web3 security firm Cyvers corroborated the incident, citing suspicious transactions involving OnyxDAO on the Ethereum blockchain. According to Cyvers, most of the loss was in VUSD stablecoin.
“Our system has detected a suspicious transaction involving OnyxDAO on the ETH chain! The total loss is around $3.2 million [at the time]. Most of the losses are in VUSD. Attacker currently holds 521 ETH ($1.36 million). The rest of the digital assets are not swapped yet,” Cyvers wrote.
Additional investigations by PeckShield revealed that the attacker capitalized on a known precision issue presented as a bug in the forked Compound V2 code base. They then siphoned 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT. Reportedly, the bug leveraged a nearly empty market to manipulate the exchange rate.
Notably, hackers used the same approach in October 2023, hacking the same protocol for $2.1 million. In the October incident, the vulnerability was a rounding error. At the time, researchers ascribed the vulnerability to Onyx Protocol being a fork of Compound Finance.
How the Code Vulnerability Occurs
With many DeFi protocols being open-source, developers tend to avoid the long approach. They opt to build off of an existing code as opposed to implementing functionality from scratch.
The approach is considered popular as it can improve efficiency and security when done correctly. The downside is that if the template code is not secure, the fork may inherit the vulnerabilities.
“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited,” security firm Halborn reported.
This means the Onyx Protocol hack could have been prevented, given the prevalence of rounding errors. Notably, guidance already exists when launching new markets on Compound Finance and its forks.
“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation,” security firm Hexgate guided in April 2023.
These incidences, including a $4.6 million attack on decentralized infrastructure Truflation on Wednesday, reflect the prevalent challenge in the crypto industry, where bad actors use different mechanisms to steal digital assets.
