Decentralized finance protocol Onyx suffered a security exploit, leading to a loss of more than $2.1 million.
The attacker drained the funds by exploiting a specific vulnerability in Onyx’s codebase, known as “precision loss,” according to analysts at the security firm BlockSec. Specifically, the exploit was executed using an integer rounding issue, aided by a flash loan.
“The attacker took out a flash loan of a substantial amount of ETH, swapped it for PEPE, and donated it to a specific pool to manipulate the exchange rate. Subsequently, due to the so-called precision loss, the attacker was able to withdraw more of the underlying asset by burning fewer shares,” Matthew Jiang, director of security services at BlockSec explained.
Jiang noted the attack was similar to the one carried out on Hundred Finance last year.
This vulnerability originates from an older forked version of Compound V2, which Onyx incorporates into its underlying architecture.
The attacker has so far sent 700 ETH ($1.25 million) to the crypto mixing service Tornado Cash, on-chain data shows.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.