Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
TRON 
Lido Staked Ether 
Dogecoin 
Cardano 
Figure Heloc 
WhiteBIT Coin 
Wrapped stETH 
Wrapped Bitcoin 
Bitcoin Cash 
Wrapped Beacon ETH 
Hyperliquid 
USDS 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
LEO Token 
Stellar 
WETH 
Wrapped eETH 
Zcash 
Monero 
Ethena USDe 
Coinbase Wrapped BTC 
Litecoin 
Avalanche 
Hedera 
Sui 
Shiba Inu 
Dai 
World Liberty Financial 
Cronos 
Ethena Staked USDe 
Toncoin 
sUSDS 
Uniswap 
PayPal USD 
Polkadot 
USDT0 
Mantle 
Canton 
Bittensor 
Aave 
USD1 
Bitget Token 
NEAR Protocol 
BlackRock USD Institutional Digital Liquidity Fund 
OKB 
Tether Gold 
Internet Computer 
Aster 
Falcon USD 
MemeCore 
Ethereum Classic 
Pi Network 
Ethena 
Pepe 
Jito Staked SOL 
Binance-Peg WETH 
Pump.fun 
Jupiter Perpetuals Liquidity Provider Token 
Rain 
Solana 
Ondo 
HTX DAO 
Kaspa 
Aptos 
Worldcoin 
KuCoin 
POL (ex-MATIC) 
PAX Gold 
syrupUSDC 
USDtb 
BFUSD 
Rocket Pool ETH 
Binance Bridged USDC (BNB Smart Chain) 
Algorand 
Ripple USD 
Gate 
Provenance Blockchain 
Wrapped BNB 
Global Dollar 
Arbitrum 
Circle USYC 
Official Trump 
Sky 
Flare 
Cosmos Hub 
VeChain 
Filecoin 
Binance Staked SOL 
Kelp DAO Restaked ETH 
Function FBTC 
Kinetiq Staked HYPE 
Lombard Staked BTC 
Liquid Staked ETH 
Solv Protocol BTC 
NEXO 
syrupUSDT 
XDC Network 
Render 
First Digital USD 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Sei 
Story 
Morpho 
Bonk 
PancakeSwap 
Jupiter 
OUSG 
Mantle Staked Ether 
Janus Henderson Anemoy AAA CLO Fund 
Renzo Restaked ETH 
Arbitrum Bridged WBTC (Arbitrum One) 
Dash 
Pudgy Penguins 
clBTC 
Artificial Superintelligence Alliance 
Ondo US Dollar Yield 
SPX6900 
Jupiter Staked SOL 
Starknet 
Aerodrome Finance 
Optimism 
Virtuals Protocol 
Polygon Bridged USDC (Polygon PoS) 
Curve DAO 
USDai 
StakeWise Staked ETH 
Polygon PoS Bridged DAI (Polygon POS) 
Beldex 
Injective 
Lido DAO 
Stacks 
tBTC 
AB 
Marinade Staked SOL 
Usual USD 
The Graph 
L2 Standard Bridged WETH (Base) 
Tezos 
Arbitrum Bridged WETH (Arbitrum One) 
Celestia 
TrueUSD 
cgETH Hashkey Cloud 
Ether.fi 
Mantle Bridged USDT (Mantle) 
FLOKI 
MYX Finance 
IOTA 
USDD 
GTETH 
Kaia 
Stader ETHx 
Telcoin 
Pendle 
Ethereum Name Service 
Spiko EU T-Bills Money Market Fund 
Ether.Fi Liquid ETH 
Plasma 
Pyth Network 
Trust Wallet 
Conflux 
Steakhouse USDC Morpho Vault 
Bitcoin SV 
Sonic 
Basic Attention 
GHO 
The Sandbox 
BitTorrent 
DoubleZero 
USDB 
Sun Token 
Helium 
Swell Ethereum 
Merlin Chain 
Decred 
sBTC 
Coinbase Wrapped Staked ETH 
JUST 
Lorenzo Wrapped Bitcoin 
Binance-Peg Dogecoin 
dogwifhat 
AINFT 
Flow 
Wrapped HYPE 
Monad 
Avalanche Bridged BTC (Avalanche) 
BENQI Liquid Staked AVAX 
ether.fi Staked ETH 
GALA 
JasmyCoin 
Olympus 
Gnosis 
Theta Network 
Compound 
Onyx Protocol, a Compound Finance fork, suffered a $3.8 million loss on Thursday to mark another entry in a series of attacks as bad actors explore system vulnerability.
Cyber-attacks continue to plague the crypto industry, highlighting the need for enhanced security.
$3.8 Million Hack Hits Onyx Protocol
Blockchain security firm PeckShield highlighted suspicious transactions on OnyxDAO, drawing attention to a possible attack on the protocol. In a follow-up post, the on-chain detective revealed losses reaching $3.8 million, indicating that the hacker was already swapping the funds.
Onyx Protocol Hack. Source: PeckShield
Web3 security firm Cyvers corroborated the incident, citing suspicious transactions involving OnyxDAO on the Ethereum blockchain. According to Cyvers, most of the loss was in VUSD stablecoin.
“Our system has detected a suspicious transaction involving OnyxDAO on the ETH chain! The total loss is around $3.2 million [at the time]. Most of the losses are in VUSD. Attacker currently holds 521 ETH ($1.36 million). The rest of the digital assets are not swapped yet,” Cyvers wrote.
Additional investigations by PeckShield revealed that the attacker capitalized on a known precision issue presented as a bug in the forked Compound V2 code base. They then siphoned 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT. Reportedly, the bug leveraged a nearly empty market to manipulate the exchange rate.
Notably, hackers used the same approach in October 2023, hacking the same protocol for $2.1 million. In the October incident, the vulnerability was a rounding error. At the time, researchers ascribed the vulnerability to Onyx Protocol being a fork of Compound Finance.
How the Code Vulnerability Occurs
With many DeFi protocols being open-source, developers tend to avoid the long approach. They opt to build off of an existing code as opposed to implementing functionality from scratch.
The approach is considered popular as it can improve efficiency and security when done correctly. The downside is that if the template code is not secure, the fork may inherit the vulnerabilities.
“In the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited,” security firm Halborn reported.
This means the Onyx Protocol hack could have been prevented, given the prevalence of rounding errors. Notably, guidance already exists when launching new markets on Compound Finance and its forks.
“At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation,” security firm Hexgate guided in April 2023.
These incidences, including a $4.6 million attack on decentralized infrastructure Truflation on Wednesday, reflect the prevalent challenge in the crypto industry, where bad actors use different mechanisms to steal digital assets.
