Project name: Onyx Protocol

Project type: Lending

Date of exploit: Nov 1st, 2023

Asset loss: $2.1M

Vulnerability: Exchange rate manipulation

Date of audit report publishing

Onyx Protocol: Feb 27th, 2023

Conclusion: In Audit Scope (identified but not fixed)

Details of the Exploit

Project Background

Onyx Protocol, a DeFi lending protocol forked from CompoundV2, allows users to deposit collateral and borrow tokens based on their collateral value. This value is determined by external price Oracles, which acquire prices for the collateral. The key difference compared to the original Compound protocol is that Onyx supports NFTs as collateral.

Nature of the Vulnerability

• On the 23rd, a proposal on the Onyx governance to support the PEPE market was passed, and on October 26, 20!23, the PEPE token market contract was deployed. No initial liquidity was supplied to the market.
• When the market liquidity is zero, the exchange rate can be manipulated by donating tokens to the contracts.
• Due to the rounding error, the attacker can use 1 share to redeem approximately all of the tokens from the collateral contract.

CertiK Audit Overview

Conclusion

On Nov 1, 2023, Onyx Protocol was attacked, leading to a loss of around $2.1M. The Onyx team added a new PEPE market without any initial funds, so the hacker was able to manipulate the exchange rate of the PEPE market and borrow assets from other Onyx markets, also got back all the collateral due to rounding errors in solidity, causing bad debts in these markets.

This vulnerability was identified in CertiK's audit report, and CertiK recommended that the project team add a new contract capable of minting fresh shares when the contract is deployed. The Onyx team acknowledged this issue and decided not to perform any action on the contract.