On Sept. 26, decentralized finance (DeFi) protocol Onyx got caught in a web of code vulnerabilities, losing over $3.8 million. According to blockchain security platform PeckShield, the exploit played on a bug in the Compound Finance v2 codebase. But this wasn’t the first time. Onyx already suffered a similar hit back in November 2023, and the code that once betrayed it did it again.
But the attack had another layer—an NFT liquidation contract flaw that PeckShield pointed out contributed heavily to the hack.
Compound Codebase Bug Strikes Again
It’s a familiar villain in the DeFi scene. The Compound Finance v2 codebase has been forked by multiple DeFi protocols, but its vulnerabilities have proven costly. PeckShield’s report highlighted how this same flaw had triggered an exploit against Hundred Finance in April 2023. And now, Onyx has once again felt its sting. The vulnerability only gets triggered in an “empty market,” meaning no liquidity is present, usually when new markets are freshly launched.
But here’s where it gets tricky. The Onyx team acknowledged the exploit but stated that the known flaw wasn’t the root cause this time around. Instead, they pointed fingers at the NFTLiquidation Contract. In a post on X, they explained: “The primary issue wasn’t an empty market but the NFTLiquidation Contract.”
NFT Contract – the Real Villain?
So, what went wrong with the NFT contract? The issue boiled down to how the contract handled user input, or more accurately, didn’t handle it. It allowed the attacker to manipulate the self-liquidation reward because the contract didn’t properly validate user data. In other words, the code trusted too much, and it paid the price. PeckShield echoed this in their report, confirming that the NFT contract was “another issue that facilitates the hack.”
The hacker drained 4.1 million VUSD, 7.35 million Onyxcoin (XCN), 0.23 WBTC, $5,000 in Dai, and $50,000 in USDt. And the DeFi world just took another hit.
Leave a Reply
You must be logged in to post a comment.