Onyx Protocol Low Liquidity NFTLiquidation Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 14:11, 27 September 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/onyxprotocollowliquiditynftliquidationvulnerability.php}} {{Unattributed Sources}} thumb|Onyx Protocol Logo/HomepageOnyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On September 26th, 2024, they were once again exploited by a low liquidity market, with an attacker walking off wi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Onyx Protocol Logo/Homepage

Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On September 26th, 2024, they were once again exploited by a low liquidity market, with an attacker walking off with $3.8m worth of funds. At present, they have offered the attacker a 20% bounty and the final outcome is unclear.[1][2][3][4][5][6][7][8][9][10][11][12]

About Onyx Protocol

"The Backbone of Decentralised Web3 Protocols"

"Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network.

Onyx enables investors to lend and/or borrow cryptocurrencies, by pledging the platform an over-collateralized amount of cryptocurrency. Onyx does this by utilizing money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand of each asset.

Users who choose to supply liquidity to Onyx earn compounded interest as rewards for supplying their assets to the protocol. When supplying assets, users are also given the ability to mint stable-coins, or borrow other assets against their supplied assets. Once a user has supplied assets to Onyx, the user can then borrow assets or mint stable-coins, by over-collateralizing and paying interest on the amount borrowed.

Loans from the Onyx protocol do not have monthly payments, late fees, and can be paid off at any time. Onyx is able to do this without ever requiring a credit check, with near immediate origination, using smart contracts that provide an automated, and absolutely transparent system for investment and profit distribution.

Onyx also provides loans for CryptoPunks and BAYC. NFT holders can leverage their idle NFTs to obtain loans and earn extra yield."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Onyx Protocol Low Liquidity NFTLiquidation Vulnerability
Date Event Description
September 26th, 2024 6:01:59 AM MDT Attack Transaction The attack transaction happens on the blockchain, as later reported by Hacken.
September 26th, 2024 6:43:00 AM MDT Cyvers Report Tweet Cyvers reports suspicious activity on the blockchain regarding Onyx Protocol.
September 26th, 2024 7:15:00 AM MDT Hacken Analysis Tweet Hacken shared an analysis which includes the original blockchain transaction.
September 26th, 2024 7:30:00 AM MDT PeckShield Initial Post PeckShield posts a tweet with a screenshot of the transaction and notes that Onyx "may want to take a look".
September 26th, 2024 7:39:00 AM MDT Latest Whereabouts Update PeckShield provides an update with the latest whereabouts of the tokens.
September 26th, 2024 7:55:00 AM MDT PeckShield Analysis Tweet PeckShield posts a further analysis of the attack against Onyx.
September 26th, 2024 8:12:00 AM MDT PeckShield Highlighting Issue In an update tweet, PeckShield provides details of another exploit where "the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount". This would later be referenced in a tweet by the Onyx team.
September 26th, 2024 10:06:00 AM MDT Onyx Protocol Is Aware In a Tweet, Onyx Protocol notes that they are "aware of unusual activity" on their platform. They "will announce further details in due course".
September 26th, 2024 1:46:00 PM MDT Rekt News Investigation Rekt publishes their investigation of the Onxy protocol situation.
September 26th, 2024 5:17:00 PM MDT Onyx Protocol Postmortem Onyx publishes a post-mortem with more details of what happened and the path forward.
September 26th, 2024 9:50:00 PM MDT Onyx Offers 20% Bounty The Onyx team offers a 20% bounty to the hacker. If they return 80%, then the rest of the funds will be considered as a bounty for discovering the exploit.

Technical Details

"The vulnerability stems from a flaw in the asset’s exchange rate calculation when there’s low liquidity in a certain market. The attacker manipulated the exchange rate by minting and redeeming Onyx ETH (oETH) 56 times."

"The exploit started with a 2K ETH flash loan from Balancer. The attacker deposited 1,999.5 ETH into the oEther contract (oETH market) while depositing 0.5 ETH into another malicious contract (0xAE7d68) created in the same transaction.

This contract was used to mint and redeem very small amounts of oETH (as little as 0.00000001 oETH), manipulating the exchange rate to exploit the system."

Total Amount Lost

The total amount lost has been estimated at $3,800,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"ALERT! Our system has detected suspicious transaction involving @OnyxDAO on #ETH chain!

Total loss is around $3.2M. Most of the loss are in $VUSD. Attacker currently holds 521 $ETH $1.36M. Rest of the digital assets are not swapped yet!"

"Onyx Protocol is aware of unusual activity on our platform and is currently reviewing third party post mortem examination data while conducting our own investigation.

We will announce further details in due course"

"Another Compound v2 fork that just can't catch a break, @OnyxDAO, has been exploited again."

This time, the damage tally stands at a cool $3.8 million, siphoned off by the same vulnerability that bit them late last year."

Ultimate Outcome

"The attacker has already swapped all the stolen VUSD to ETH using CoW Protocol and Uniswap. In 12 transactions, they swapped 3.8M VUSD but only received 570 ETH ($1.5M) due to high slippage in the liquidity pools."

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"Onyx DAO is offering a 20% bounty for the recovery of the exploited funds. We will also consider funds returned from the hacker as a bounty and request 80% back. After 7 days, we will send the information from third parties regarding the identity of the hackers to authorities."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @RektHQ Twitter (Accessed Sep 27, 2024)
  2. @OnyxDAO Twitter (Accessed Sep 27, 2024)
  3. @CyversAlerts Twitter (Accessed Sep 27, 2024)
  4. @hackenclub Twitter (Accessed Sep 27, 2024)
  5. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 27, 2024)
  6. @peckshield Twitter (Accessed Sep 27, 2024)
  7. The Backbone of Decentralised Web3 Protocols (Accessed Sep 27, 2024)
  8. Onyx Documentation | Onyx Protocol (Accessed Sep 27, 2024)
  9. @OnyxDAO Twitter (Accessed Sep 27, 2024)
  10. @peckshield Twitter (Accessed Sep 27, 2024)
  11. @peckshield Twitter (Accessed Sep 27, 2024)
  12. @hackenclub Twitter (Accessed Sep 27, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Onyx_Protocol_Low_Liquidity_NFTLiquidation_Vulnerability&oldid=6196"