ONYX PROTOCOL

Exploiter address: 0x085bdff2c522e8637d4154039db8746bb8642bff Repeat exploiter address: 0x5083956303a145f70ba9f3d80c5e6cb5ac842706 The Onyx Protocol, a fork of Compound Finance, experienced a significant loss of $2.1 million due to a well-known vulnerability on Tuesday. This vulnerability, also affecting Hundred Finance and Midas Capital, has collectively resulted in over $10 million in losses. Despite warnings from Peckshield, Onyx did not respond officially for nearly three hours, during which the protocol suffered a repeat attack, albeit with lower profit. Several protocols have fallen prey to similar exploits, including Conic, Sturdy, EraLend, and Midas. The exploit leveraged a known vulnerability in the Compound v2 code, where a rounding error enabled attackers to manipulate empty markets, draining liquidity across the protocol. Onyx's governance had recently approved Proposal 22, adding a lending market for the memecoin PEPE. The "empty market attack" involved a flash loan swapped for PEPE, manipulating prices through minting oPEPE shares and donating PEPE to inflate oPEPE's value as collateral. The attacker then borrowed against overvalued oPEPE, exploiting the rounding error to withdraw funds. The 1164 ETH ($2.1M) in profits were sent to an intermediary address, with 1140 ETH deposited into Tornado Cash. The remaining 24 ETH went to on-chain panhandlers, prompting messages begging for further funds. Although Onyx Protocol was audited by Certik, the viability of this vulnerability depends on individual market conditions rather than the codebase. In the aftermath, Onyx proposed a compensation plan to refund victims by selling native tokens from the treasury. However, the plan raises concerns about potential negative impacts on XCN and the misalignment of team incentives, emphasizing the importance of vigilance and security for teams working with forks.