Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/onyxprotocollowliquiditynftliquidationvulnerability.php}} {{Unattributed Sources}} Onyx Protocol Logo/HomepageOnyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On September 26th, 2024, they were once again exploited by a low liquidity market, with an attacker walking off wi..."

2024-09-27T20:11:00Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/onyxprotocollowliquiditynftliquidationvulnerability.php}} {{Unattributed Sources}} thumb|Onyx Protocol Logo/HomepageOnyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On September 26th, 2024, they were once again exploited by a low liquidity market, with an attacker walking off wi..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/onyxprotocollowliquiditynftliquidationvulnerability.php}}
{{Unattributed Sources}}

[[File:Onyxprotocol.jpg|thumb|Onyx Protocol Logo/Homepage]]Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On September 26th, 2024, they were once again exploited by a low liquidity market, with an attacker walking off with $3.8m worth of funds. At present, they have offered the attacker a 20% bounty and the final outcome is unclear.<ref name="rekthqtwitter-15988" /><ref name="onyxdaotwitter-15989" /><ref name="cyversalertstwitter-15990" /><ref name="hackenclubtwitter-15991" /><ref name="etherscan-15992" /><ref name="peckshieldtwitter-15993" /><ref name="onyx-15909" /><ref name="onyxdocs-15910" /><ref name="onyxdaotwitter-15994" /><ref name="peckshieldtwitter-15995" /><ref name="peckshieldtwitter-15996" /><ref name="hackenclubtwitter-15997" />

== About Onyx Protocol ==
"The Backbone of Decentralised Web3 Protocols"

"Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network.

Onyx enables investors to lend and/or borrow cryptocurrencies, by pledging the platform an over-collateralized amount of cryptocurrency. Onyx does this by utilizing money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand of each asset.

Users who choose to supply liquidity to Onyx earn compounded interest as rewards for supplying their assets to the protocol. When supplying assets, users are also given the ability to mint stable-coins, or borrow other assets against their supplied assets. Once a user has supplied assets to Onyx, the user can then borrow assets or mint stable-coins, by over-collateralizing and paying interest on the amount borrowed.

Loans from the Onyx protocol do not have monthly payments, late fees, and can be paid off at any time. Onyx is able to do this without ever requiring a credit check, with near immediate origination, using smart contracts that provide an automated, and absolutely transparent system for investment and profit distribution.

Onyx also provides loans for CryptoPunks and BAYC. NFT holders can leverage their idle NFTs to obtain loans and earn extra yield."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Onyx Protocol Low Liquidity NFTLiquidation Vulnerability
!Date
!Event
!Description
|-
|September 26th, 2024 6:01:59 AM MDT
|Attack Transaction
|The attack transaction happens on the blockchain, as later reported by Hacken.
|-
|September 26th, 2024 6:43:00 AM MDT
|Cyvers Report Tweet
|Cyvers reports suspicious activity on the blockchain regarding Onyx Protocol.
|-
|September 26th, 2024 7:15:00 AM MDT
|Hacken Analysis Tweet
|Hacken shared an analysis which includes the original blockchain transaction.
|-
|September 26th, 2024 7:30:00 AM MDT
|PeckShield Initial Post
|PeckShield posts a tweet with a screenshot of the transaction and notes that Onyx "may want to take a look".
|-
|September 26th, 2024 7:39:00 AM MDT
|Latest Whereabouts Update
|PeckShield provides an update with the latest whereabouts of the tokens.
|-
|September 26th, 2024 7:55:00 AM MDT
|PeckShield Analysis Tweet
|PeckShield posts a further analysis of the attack against Onyx.
|-
|September 26th, 2024 8:12:00 AM MDT
|PeckShield Highlighting Issue
|In an update tweet, PeckShield provides details of another exploit where "the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount". This would later be referenced in a tweet by the Onyx team.
|-
|September 26th, 2024 10:06:00 AM MDT
|Onyx Protocol Is Aware
|In a Tweet, Onyx Protocol notes that they are "aware of unusual activity" on their platform. They "will announce further details in due course".
|-
|September 26th, 2024 1:46:00 PM MDT
|Rekt News Investigation
|Rekt publishes their investigation of the Onxy protocol situation.
|-
|September 26th, 2024 5:17:00 PM MDT
|Onyx Protocol Postmortem
|Onyx publishes a post-mortem with more details of what happened and the path forward.
|-
|September 26th, 2024 9:50:00 PM MDT
|Onyx Offers 20% Bounty
|The Onyx team offers a 20% bounty to the hacker. If they return 80%, then the rest of the funds will be considered as a bounty for discovering the exploit.
|}

== Technical Details ==
"The vulnerability stems from a flaw in the asset’s exchange rate calculation when there’s low liquidity in a certain market. The attacker manipulated the exchange rate by minting and redeeming Onyx ETH (oETH) 56 times."

"The exploit started with a 2K ETH flash loan from Balancer. The attacker deposited 1,999.5 ETH into the oEther contract (oETH market) while depositing 0.5 ETH into another malicious contract (0xAE7d68) created in the same transaction.

This contract was used to mint and redeem very small amounts of oETH (as little as 0.00000001 oETH), manipulating the exchange rate to exploit the system."

== Total Amount Lost ==
The total amount lost has been estimated at $3,800,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
"ALERT! Our system has detected suspicious transaction involving @OnyxDAO on #ETH chain!

Total loss is around $3.2M. Most of the loss are in $VUSD. Attacker currently holds 521 $ETH $1.36M. Rest of the digital assets are not swapped yet!"

"Onyx Protocol is aware of unusual activity on our platform and is currently reviewing third party post mortem examination data while conducting our own investigation.

We will announce further details in due course"

"Another Compound v2 fork that just can't catch a break, @OnyxDAO, has been exploited again."

This time, the damage tally stands at a cool $3.8 million, siphoned off by the same vulnerability that bit them late last year."

== Ultimate Outcome ==
"The attacker has already swapped all the stolen VUSD to ETH using CoW Protocol and Uniswap. In 12 transactions, they swapped 3.8M VUSD but only received 570 ETH ($1.5M) due to high slippage in the liquidity pools."

== Total Amount Recovered ==
The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
"Onyx DAO is offering a 20% bounty for the recovery of the exploited funds. We will also consider funds returned from the hacker as a bounty and request 80% back. After 7 days, we will send the information from third parties regarding the identity of the hackers to authorities."
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rekthqtwitter-15988">[https://twitter.com/RektHQ/status/1839391124424712596 @RektHQ Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="onyxdaotwitter-15989">[https://twitter.com/OnyxDAO/status/1839335665768845452 @OnyxDAO Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="cyversalertstwitter-15990">[https://twitter.com/CyversAlerts/status/1839284600461303958 @CyversAlerts Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="hackenclubtwitter-15991">[https://twitter.com/hackenclub/status/1839292759330664825 @hackenclub Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="etherscan-15992">[https://etherscan.io/tx/0x46567c731c4f4f7e27c4ce591f0aebdeb2d9ae1038237a0134de7b13e63d8729 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Sep 27, 2024)</ref>

<ref name="peckshieldtwitter-15993">[https://twitter.com/peckshield/status/1839302663680438342 @peckshield Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="onyx-15909">[https://onyx.org/ The Backbone of Decentralised Web3 Protocols] (Accessed Sep 27, 2024)</ref>

<ref name="onyxdocs-15910">[https://docs.onyx.org/ Onyx Documentation | Onyx Protocol] (Accessed Sep 27, 2024)</ref>

<ref name="onyxdaotwitter-15994">[https://twitter.com/OnyxDAO/status/1839444120060023167 @OnyxDAO Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="peckshieldtwitter-15995">[https://twitter.com/peckshield/status/1839298850605142413 @peckshield Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="peckshieldtwitter-15996">[https://twitter.com/peckshield/status/1839307011491770523 @peckshield Twitter] (Accessed Sep 27, 2024)</ref>

<ref name="hackenclubtwitter-15997">[https://twitter.com/hackenclub/status/1839312308880715797 @hackenclub Twitter] (Accessed Sep 27, 2024)</ref></references>

Onyx Protocol Low Liquidity NFTLiquidation Vulnerability - Revision history