The decentralized finance (DeFi) protocol Onyx lost over $2.1 million, as a cunning attacker exploited a critical vulnerability within Onyx’s codebase. This vulnerability, known as “precision loss,” was ruthlessly manipulated, resulting in substantial financial damage.
Security experts at BlockSec have shed light on the details of this sophisticated attack.
Attacker exploits “precision loss” vulnerability
BlockSec’s analysts have unraveled the attack, which involved the attacker exploiting a specific weakness in Onyx’s codebase through the use of an integer rounding issue, combined with a flash loan.
Matthew Jiang, Director of Security Services at BlockSec, explained that the attacker initiated the attack by securing a substantial amount of Ethereum (ETH) through a flash loan. This ETH was then exchanged for the cryptocurrency PEPE and subsequently donated to a particular pool, thereby manipulating the exchange rate.
However, the attacker’s trick didn’t end there. Leveraging the so-called “precision loss” within Onyx’s code, the attacker managed to withdraw a larger portion of the underlying asset while burning fewer shares. This intricate technique allowed the attacker to siphon off a substantial amount of Onyx’s funds, resulting in a significant $2.1 million loss.
History repeats: Similarities with past exploits
Notably, this attack bears similarities to a previous exploit on Hundred Finance last year. The common thread in these two incidents is the exploitation of vulnerabilities originating from an older version of Compound V2, which Onyx incorporates into its underlying architecture.
The attacker has attempted to cover their tracks by sending 700 ETH (equivalent to $1.25 million) to the crypto mixing service Tornado Cash, as revealed by on-chain data. Tornado Cash is a popular tool used to cover the source of cryptocurrency transactions, making it more challenging to trace the stolen funds.
The Onyx DeFi protocol breach serves as a reminder of the ongoing security challenges in the DeFi space. DeFi platforms must remain vigilant and continuously update their code to address vulnerabilities promptly. As attackers become more sophisticated, the need for comprehensive security audits and ongoing development is important.