Onyx Protocol PEPE Market Donation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Onyx Protocol Logo/Homepage

Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network. On November 1st, 2023, they introduced a new market for the PEPE meme coin. Unfortunately, this market lacked liquidity, and a rounding error in the liquidity smart contract enabled an attacker to exploit and walk off with $2.1m USD. Plans were ultimately made to reimburse users via a third party acquisition of the platform.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66][67][68][69][70][71][72][73][74][75][76][77][78][79][80]

About Onyx Protocol

"The Backbone of Decentralised Web3 Protocols"

"Onyx Protocol is an algorithmic money market designed to bring secure and trustless credit and lending to users on Ethereum Network.

Onyx enables investors to lend and/or borrow cryptocurrencies, by pledging the platform an over-collateralized amount of cryptocurrency. Onyx does this by utilizing money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand of each asset.

Users who choose to supply liquidity to Onyx earn compounded interest as rewards for supplying their assets to the protocol. When supplying assets, users are also given the ability to mint stable-coins, or borrow other assets against their supplied assets. Once a user has supplied assets to Onyx, the user can then borrow assets or mint stable-coins, by over-collateralizing and paying interest on the amount borrowed.

Loans from the Onyx protocol do not have monthly payments, late fees, and can be paid off at any time. Onyx is able to do this without ever requiring a credit check, with near immediate origination, using smart contracts that provide an automated, and absolutely transparent system for investment and profit distribution.

Onyx also provides loans for CryptoPunks and BAYC. NFT holders can leverage their idle NFTs to obtain loans and earn extra yield."

The Reality

"In Onyx’ case, governance had recently voted through Proposal 22 to add a lending market for memecoin PEPE to the protocol." "Onyx Protocol Deployment: Onyx Protocol introduced the "oPEPE" market with no initial liquidity."

"many of the findings during their audit were acknowledged instead of fixed. There is no point in reaching out to security researchers if you do not listen to their advice."

"The exact same attack vector has hit two other forks, Hundred Finance and Midas Capital (themselves both repeat leaderboard entrants), already this year, tipping the total lost to this bug over the $10M mark."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Onyx Protocol PEPE Market Donation
Date Event Description
November 1st, 2023 3:58:47 AM MDT Malicious Transaction Happens The malicious transaction which is responsible for the theft.
November 1st, 2023 4:05:00 AM MDT PeckShield Warning Tweet PackShield warns the Onyx team that they "may want to take a look".
November 1st, 2023 4:14:00 AM MDT User Telegram Messages Deleted A user freedomonfire reports mentioning the exploit/transaction on Telegram, and their messages were deleted.
November 1st, 2023 4:32:11 AM MDT Another Attack Transaction A second, smaller, attack transaction happens on the blockchain.
November 1st, 2023 4:38:00 AM MDT PeckShield Second Attack PackShield posts a notice that the protocol is again being attacked, calling it "Another 1 for ~$61.8K".
November 1st, 2023 4:49:00 AM MDT Cyvers Says Attack Ongoing Cyvers calls the attack "ongoing", highlighting an additional transaction.
November 1st, 2023 6:49:00 AM MDT Onyx Protocol Team Tweet The Onyx Protocol team tweets to aknowledge the exploit. They are aware and working through the details with their partners.
November 1st, 2023 4:28:00 PM MDT Users Requesting The Funds KeyBoxAI reports that some users send IDM messages to the attacker requesting ETH.
November 2nd, 2023 1:36:00 AM MDT Reimbursement Planning The Onxy team announces that they are working on a reimbursement plan.
November 2nd, 2023 1:46:00 AM MDT Some ETH Is Shared Hackenclub reports that the exploiter shares some ETH with an individual who calls him his "brother in Christ" via an IDM message. He is thanked.
November 3rd, 2023 12:08:00 AM MDT Initial Reimbursement Proposals Some initial reimbursement proposals are published, which are happening through a potential acquisition of the protocol by an entity called Strike Finance.
November 3rd, 2023 10:47:00 AM MDT Rekt News Investigates Rekt News publishes their investigation of the incident.
November 6th, 2023 12:49:00 AM MST AMA On Reimbursement Plan An AMA (ask me anything) session is planned for handling the reimbursement from the hack.

Technical Details

"Onyx Protocol Deployment: Onyx Protocol introduced the "oPEPE" market with no initial liquidity just five days before the exploit."

"Rounding Issue Exploited: Attackers leveraged a known rounding issue from the CompoundV2 fork, affecting how numbers are handled in oPEPE's smart contracts."

"Donation and Borrowing: Attackers initiated the exploit by making a small donation to oPEPE, enabling them to borrow substantial assets from liquid markets."

"Exploitative Redemption: The critical step was the attackers exploiting the rounding issue when redeeming borrowed assets, resulting in significant profit."

"Similar to Past Hack: This technique resembled the one used in the Hundred Finance hack, suggesting a shared vulnerability in the CompoundV2 fork."

"In the process of the Onyx Protocol exploit, the attacker executed a series of complex swaps to obfuscate their actions and facilitate the theft of funds."

Total Amount Lost

The total amount lost has been estimated at $2,100,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Compound fork @OnyxProtocol lost $2.1M on Tuesday, to a high-profile, well-known vulnerability. Many protocols have fallen victim to repeated vulnerabilities so far this year. Are devs paying attention?"

"The @OnyxProtocol experienced an exploit. Fund loss is 1,163.53 ETH ~$2.1mln. We are aware of the situation, closed the vulnerability, and working on the consequences with our partners."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $2,100,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Onyx Protocol - REKT (Accessed Sep 27, 2024)
  2. The Backbone of Decentralised Web3 Protocols (Accessed Sep 27, 2024)
  3. Onyx Documentation | Onyx Protocol (Accessed Sep 27, 2024)
  4. @RektHQ Twitter (Accessed Sep 27, 2024)
  5. @peckshield Twitter (Accessed Sep 27, 2024)
  6. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 27, 2024)
  7. @al_onyxprotocol Twitter (Accessed Sep 27, 2024)
  8. @KeyBoxAI Twitter (Accessed Sep 27, 2024)
  9. @Securrtech Twitter (Accessed Sep 27, 2024)
  10. @al_onyxprotocol Twitter (Accessed Sep 27, 2024)
  11. Recovery Proposal 3 of 3: Reduce inflation and launch the v2 Onyx Money Market Protocol - Updates - Onyx Community (Accessed Sep 27, 2024)
  12. @PeckShieldAlert Twitter (Accessed Sep 27, 2024)
  13. @hackenclub Twitter (Accessed Sep 27, 2024)
  14. @Phalcon_xyz Twitter (Accessed Sep 27, 2024)
  15. @al_onyxprotocol Twitter (Accessed Sep 27, 2024)
  16. @PeckShieldAlert Twitter (Accessed Sep 27, 2024)
  17. @peckshield Twitter (Accessed Sep 27, 2024)
  18. @al_onyxprotocol Twitter (Accessed Sep 27, 2024)
  19. @al_onyxprotocol Twitter (Accessed Sep 27, 2024)
  20. @CyversAlerts Twitter (Accessed Sep 27, 2024)
  21. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 27, 2024)
  22. @ddimitrovv22 Twitter (Accessed Sep 27, 2024)
  23. @freedomonfire Twitter (Accessed Sep 27, 2024)
  24. @VeridiseInc Twitter (Accessed Sep 27, 2024)
  25. @HudsonEstell1 Twitter (Accessed Sep 27, 2024)
  26. @_true_mr_robot Twitter (Accessed Sep 27, 2024)
  27. @Coin_CRUXX Twitter (Accessed Sep 27, 2024)
  28. @MetaTrustAlert Twitter (Accessed Sep 27, 2024)
  29. @lazinwest Twitter (Accessed Sep 27, 2024)
  30. @web3_watchdog Twitter (Accessed Sep 27, 2024)
  31. @chngvr52 Twitter (Accessed Sep 27, 2024)
  32. @BeingSatoshi Twitter (Accessed Sep 27, 2024)
  33. @alphador_ai Twitter (Accessed Sep 27, 2024)
  34. @Ayman_Tweets Twitter (Accessed Sep 27, 2024)
  35. @The_CryptoPost Twitter (Accessed Sep 27, 2024)
  36. @Haiderali_eth Twitter (Accessed Sep 27, 2024)
  37. @n3120_t Twitter (Accessed Sep 27, 2024)
  38. @kexleyBeefy Twitter (Accessed Sep 27, 2024)
  39. @ImmuneBytes Twitter (Accessed Sep 27, 2024)
  40. @ramrajtweetz Twitter (Accessed Sep 27, 2024)
  41. @BtcNewsBiz Twitter (Accessed Sep 27, 2024)
  42. @CryptoPost_ESP Twitter (Accessed Sep 27, 2024)
  43. @0x_homer Twitter (Accessed Sep 27, 2024)
  44. @OKLink Twitter (Accessed Sep 27, 2024)
  45. @hackenclub Twitter (Accessed Sep 27, 2024)
  46. @De_FiSecurity Twitter (Accessed Sep 27, 2024)
  47. @veriti_global Twitter (Accessed Sep 27, 2024)
  48. @CyversAlerts Twitter (Accessed Sep 27, 2024)
  49. @MetaTrustAlert Twitter (Accessed Sep 27, 2024)
  50. @blockjournal Twitter (Accessed Sep 27, 2024)
  51. @AuditaSecurity Twitter (Accessed Sep 27, 2024)
  52. @leshka_eth Twitter (Accessed Sep 27, 2024)
  53. @cassyjnr Twitter (Accessed Sep 27, 2024)
  54. @hake_stake Twitter (Accessed Sep 27, 2024)
  55. @CyberSec84 Twitter (Accessed Sep 27, 2024)
  56. @DanielSlothx Twitter (Accessed Sep 27, 2024)
  57. @CryptoGeek1987 Twitter (Accessed Sep 27, 2024)
  58. @web3_watchdog Twitter (Accessed Sep 27, 2024)
  59. @Cyberscope_io Twitter (Accessed Sep 27, 2024)
  60. @quillaudits_ai Twitter (Accessed Sep 27, 2024)
  61. @d3ploy_ Twitter (Accessed Sep 27, 2024)
  62. @hackenclub Twitter (Accessed Sep 27, 2024)
  63. @johnmorganFL Twitter (Accessed Sep 27, 2024)
  64. @InspexCo Twitter (Accessed Sep 27, 2024)
  65. @web3_watchdog Twitter (Accessed Sep 27, 2024)
  66. @bhumharit Twitter (Accessed Sep 27, 2024)
  67. @CryptoHunterQ Twitter (Accessed Sep 27, 2024)
  68. @oakchain_ Twitter (Accessed Sep 27, 2024)
  69. @CryptoRu_off Twitter (Accessed Sep 27, 2024)
  70. @CyversAlerts Twitter (Accessed Sep 27, 2024)
  71. @EthPub Twitter (Accessed Sep 27, 2024)
  72. @InspexCo Twitter (Accessed Sep 27, 2024)
  73. @Bitrace_team Twitter (Accessed Sep 27, 2024)
  74. @protectmywallet Twitter (Accessed Sep 27, 2024)
  75. @JuratNetwork Twitter (Accessed Sep 27, 2024)
  76. @TechRightio Twitter (Accessed Sep 27, 2024)
  77. @web3_watchdog Twitter (Accessed Sep 27, 2024)
  78. @cryptotalemedia Twitter (Accessed Sep 27, 2024)
  79. @BTCTN Twitter (Accessed Sep 27, 2024)
  80. @hapi_labs Twitter (Accessed Sep 27, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Onyx_Protocol_PEPE_Market_Donation&oldid=6193"