Onyx Exploited for $3.8M as DeFi Exploits Escalate in the Web3 Space

tralized finance (DeFi) protocol, was exploited for $3.8 million due to a vulnerability in its non-fungible token (NFT) liquidation contract.

DeFi protocol Onyx has lost $3.8 million in a new attack, which was largely enabled by a known vulnerability in Compound Finance’s codebase v2.

The blockchain security firm PeckShield has identified the attacker's use of a vulnerability in the NFT liquidation contract, which led to the exploitation. The vulnerability is present in Compound Finance's v2 codebase, which is used by several DeFi protocols.

The vulnerability can be exploited when a DeFi protocol has an “empty market” — a market with no liquidity, which usually happens when launching new markets.

The attacker drained 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 in the DAI stablecoin, and $50,000 in the USDT stablecoin, totaling over $3.8 million in losses.

A previous attack on Onyx occurred in October 2023, which was also enabled by the same vulnerability in the Compound Finance codebase. Another exploitation occurred in Hundred Finance, which was attacked in April 2023.

The DeFi protocol later acknowledged the faulty NFT contract as the primary cause of the attack, while the Compound vulnerability played a role.

According to PeckShield, the contract failed to validate user input properly, which allowed the attacker to inflate self-liquidation rewards and drain funds.

DeFi exploits have become a pressing issue in Web3, with several protocols being attacked in 2024. Just days before the Onyx attack, Bedrock, a liquid staking protocol, lost over $2 million due to a vulnerability in its uniBTC contract.

Another protocol, Bankroll Network, suffered a $230,000 loss when an attacker exploited a faulty “buyFor” function.

After stealing the funds, attackers often convert them into Ether to launder the funds through cryptocurrency mixers like Tornado Cash, which complicates the efforts of cybersecurity firms to trace the stolen funds.

Crypto hacks have been escalating in 2024, with the first quarter seeing $542.7 million stolen, a 42% increase from the same period in 2023. July was particularly severe, with over $266 million stolen across 16 attacks.

This includes a $230 million theft from Indian exchange WazirX, which was the second-largest hack of the year so far.

The WazirX hacker has been attempting to funnel the stolen funds, consolidating $57 million worth of ETH into new addresses by July 22.

Most recently, Singapore-based cryptocurrency exchange BingX’s estimated loss from a suspected hack on Friday more than doubled to over $52 million, following further investigations.