Bitcoin 
Ethereum 
Tether 
BNB 
XRP 
USDC 
Solana 
TRON 
Lido Staked Ether 
Figure Heloc 
Dogecoin 
WhiteBIT Coin 
USDS 
Hyperliquid 
LEO Token 
Wrapped stETH 
Cardano 
Bitcoin Cash 
Wrapped Bitcoin 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
Monero 
Wrapped Beacon ETH 
Zcash 
Ethena USDe 
Canton 
Wrapped eETH 
Stellar 
MemeCore 
sUSDS 
Dai 
Litecoin 
PayPal USD 
Coinbase Wrapped BTC 
USD1 
Avalanche 
Rain 
WETH 
Hedera 
Sui 
RaveDAO 
USDT0 
Shiba Inu 
Toncoin 
Cronos 
Circle USYC 
Tether Gold 
World Liberty Financial 
BlackRock USD Institutional Digital Liquidity Fund 
Ethena Staked USDe 
PAX Gold 
Bittensor 
Global Dollar 
Mantle 
Uniswap 
Polkadot 
Falcon USD 
OKB 
NEAR Protocol 
Sky 
Little Pepe 
Pi Network 
HTX DAO 
syrupUSDC 
Aster 
USDD 
Aave 
Pepe 
Ripple USD 
Janus Henderson Anemoy Treasury Fund 
Ondo US Dollar Yield 
Internet Computer 
Bitget Token 
BFUSD 
Ethereum Classic 
Ondo 
KuCoin 
Gate 
Jupiter Perpetuals Liquidity Provider Token 
Pump.fun 
Quant 
Algorand 
Worldcoin 
Render 
Jito Staked SOL 
Morpho 
Spiko EU T-Bills Money Market Fund 
Kelp DAO Restaked ETH 
POL (ex-MATIC) 
NEXO 
Binance-Peg WETH 
Kaspa 
Rocket Pool ETH 
Cosmos Hub 
USDtb 
Binance Bridged USDC (BNB Smart Chain) 
Ethena 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Wrapped BNB 
Blockchain Capital 
Function FBTC 
Aptos 
Filecoin 
JUST 
Flare 
Arbitrum 
syrupUSDT 
Official Trump 
Provenance Blockchain 
Beldex 
Binance Staked SOL 
XDC Network 
Midnight 
OUSG 
VeChain 
Jupiter 
GHO 
NEW X CEO IS BACK 
Polygon Bridged USDC (Polygon PoS) 
YLDS 
Solv Protocol BTC 
Stable 
Lombard Staked BTC 
DeXe 
Usual USD 
PancakeSwap 
clBTC 
Bonk 
Artificial Superintelligence Alliance 
A7A5 
TrueUSD 
Siren 
Dash 
StakeWise Staked ETH 
LayerZero 
Virtuals Protocol 
Kinetiq Staked HYPE 
ADI 
tBTC 
Pudgy Penguins 
WrappedM by M0 
EURC 
Stacks 
First Digital USD 
Janus Henderson Anemoy AAA CLO Fund 
Monad 
Venice Token 
c8ntinuum 
Chiliz 
Mantle Staked Ether 
Tezos 
USX 
Polygon PoS Bridged DAI (Polygon POS) 
Decred 
Resolv wstUSR 
Sei 
COCA 
Kinesis Gold 
PRIME 
Sun Token 
Doge Strategy 
Liquid Staked ETH 
edgeX 
Arbitrum Bridged WBTC (Arbitrum One) 
Aerodrome Finance 
Ether.fi 
AINFT 
Curve DAO 
Wrapped Flare 
BitTorrent 
L2 Standard Bridged WETH (Base) 
Gnosis 
Steakhouse USDC Morpho Vault 
Plasma 
Bitcoin SV 
Injective 
Lido DAO 
USDai 
Binance-Peg XRP 
SPX6900 
Ether.Fi Liquid ETH 
Kinesis Silver 
Renzo Restaked ETH 
币安人生 (BinanceLife) 
Celestia 
Noon 
sBTC 
crvUSD 
DoubleZero 
Conflux 
Jupiter Staked SOL 
Legacy Frax Dollar 
Savings USDD 
Kaia 
FLOKI 
Ape and Pepe 
Marinade Staked SOL 
Official FO 
Arbitrum Bridged WETH (Arbitrum One) 
JasmyCoin 
Onyx Protocol, a Compound Finance fork, suffered a $3.8 million loss on Thursday to mark another entry in a series of attacks as bad actors explore system vulnerability.
Cyber-attacks continue to plague the crypto industry, highlighting the need for enhanced security.
$3.8 Million Hack Hits Onyx Protocol
Blockchain security firm PeckShield highlighted suspicious transactions on OnyxDAO, drawing attention to a possible attack on the protocol. In a follow-up post, the on-chain detective revealed losses reaching $3.8 million, indicating that the hacker was already swapping the funds.
Onyx Protocol Hack. Source: PeckShield
Web3 security firm Cyvers corroborated the incident, citing suspicious transactions involving OnyxDAO on the Ethereum blockchain. According to Cyvers, most of the loss was in VUSD stablecoin.
“Our system has detected a suspicious transaction involving OnyxDAO on the ETH chain! The total loss is around $3.2 million [at the time]. Most of the losses are in VUSD. Attacker currently holds 521 ETH ($1.36 million). The rest of the digital assets are not swapped yet,” Cyvers wrote.
Additional investigations by PeckShield revealed that the attacker capitalized on a known precision issue presented as a bug in the forked Compound V2 code base. They then siphoned 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT. Reportedly, the bug leveraged a nearly empty market to manipulate the exchange rate.
Notably, hackers used the same approach in October 2023, hacking the same protocol for $2.1 million. In the October incident, the vulnerability was a rounding error. At the time, researchers ascribed the vulnerability to Onyx Protocol being a fork of Compound Finance.
How the Code Vulnerability Occurs
With many DeFi protocols being open-source, developers tend to avoid the long approach. They opt to build off of an existing code as opposed to implementing functionality from scratch.
The approach is considered popular as it can improve efficiency and security when done correctly. The downside is that if the template code is not secure, the fork may inherit the vulnerabilities.
“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited,” security firm Halborn reported.
This means the Onyx Protocol hack could have been prevented, given the prevalence of rounding errors. Notably, guidance already exists when launching new markets on Compound Finance and its forks.
“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation,” security firm Hexgate guided in April 2023.
These incidences, including a $4.6 million attack on decentralized infrastructure Truflation on Wednesday, reflect the prevalent challenge in the crypto industry, where bad actors use different mechanisms to steal digital assets.
