Attacker drains $2.1 million from Onyx in latest DeFi exploit

Quick Take

  • DeFi protocol Onyx experienced an exploit, resulting in a loss of over $2.1 million.
  • The exploit was carried out through an integer rounding vulnerability and a flash loan.
  • A specific “precision loss” vulnerability was in Onyx’s codebase was exploited.

Decentralized finance protocol Onyx suffered a security exploit, leading to a loss of more than $2.1 million.

The attacker drained the funds by exploiting a specific vulnerability in Onyx’s codebase, known as “precision loss,” according to analysts at the security firm BlockSec. Specifically, the exploit was executed using an integer rounding issue, aided by a flash loan.

“The attacker took out a flash loan of a substantial amount of ETH, swapped it for PEPE, and donated it to a specific pool to manipulate the exchange rate. Subsequently, due to the so-called precision loss, the attacker was able to withdraw more of the underlying asset by burning fewer shares,” Matthew Jiang, director of security services at BlockSec explained.

Jiang noted the attack was similar to the one carried out on Hundred Finance last year.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

This vulnerability originates from an older forked version of Compound V2, which Onyx incorporates into its underlying architecture.

The attacker has so far sent 700 ETH ($1.25 million) to the crypto mixing service Tornado Cash, on-chain data shows.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Tim Copeland at
[email protected]