Project name: Onyx Protocol
Project type: Lending
Date of exploit: Nov 1st, 2023
Asset loss: $2.1M
Vulnerability: Exchange rate manipulation
Date of audit report publishing
Onyx Protocol: Feb 27th, 2023
Conclusion: In Audit Scope (identified but not fixed)
Onyx Protocol, a DeFi lending protocol forked from CompoundV2, allows users to deposit collateral and borrow tokens based on their collateral value. This value is determined by external price Oracles, which acquire prices for the collateral. The key difference compared to the original Compound protocol is that Onyx supports NFTs as collateral.
On Nov 1, 2023, Onyx Protocol was attacked, leading to a loss of around $2.1M. The Onyx team added a new PEPE market without any initial funds, so the hacker was able to manipulate the exchange rate of the PEPE market and borrow assets from other Onyx markets, also got back all the collateral due to rounding errors in solidity, causing bad debts in these markets.
This vulnerability was identified in CertiK's audit report, and CertiK recommended that the project team add a new contract capable of minting fresh shares when the contract is deployed. The Onyx team acknowledged this issue and decided not to perform any action on the contract.