On November 1st, MetaScout detected a flash loan attack on the lending protocol Onyx Protocol on Ethereum, resulting in a loss of $2.1 million. The root cause was that the hacker targeted and first executed a proposal to add a new market, as well as the precision loss issue of the stored ID in the Compound fork protocol.

MetaTrust Labs conducted an in-depth investigation and analysis of the incident, revealing how hackers exploited governance proposals and protocol vulnerabilities to launch this attack on Onyx Protocol.

About Onyx Protocol

Onyx Protocol (https://docs.onyx.org/) is a lending market aimed at providing secure and trustless credit and lending services to users on the Ethereum network.

On October 29, 2023, Onyx Protocol (https://x.com/OnyxProtocol/status/1718348637158137858?s=20) launched proposal OIP-22 to add $PEPE to the market. Unfortunately, the proposal was targeted and attacked by hackers.

Meanwhile, from the contract deployed on the Onyx chain, it appears to be a derivative protocol of Compound. Due to an attack, its TVL dropped from $2.86 million to $550,000.

Attack Action

Attack Loss

The total loss from two attack transactions is approximately 2.14 million US dollars.

Attacker

0xdec2F31C3984F3440540DC78Ef21b1369d4eF767 0x5083956303a145f70ba9f3d80c5e6cb5ac842706

Attack Contract

0x052ad2f779c1b557d9637227036ccaad623fceaa

Attacked Contract

Proxy contract: https://etherscan.io/address/0x5fdbcd61bc9bd4b6d3fd1f49a5d253165ea11750

Contract Implementation: https://etherscan.io/address/0x9dcb6bc351ab416f35aeab1351776e2ad295abc4#code

治理合约

translates to

Governance Contract

https://etherscan.io/address/0xdec2f31c3984f3440540dc78ef21b1369d4ef767

Attack Steps

TL;DR

Take attacking transaction 0xf7c216 as an example.

1. The hacker (0x085bDf) first executed proposal OIP-22 to add a new market called oPEPE (0x5fdbcd).

2. Within one minute of adding to the new market, AAVE launched a flash loan and obtained 4,000 $WETH.

a. Convert 4,000 $WETH to 2,520,870,348,093 $PEPE.

b. Transfer all $PEPE to address 0xf8e153.

c. Create a contract at the address 0xf8e153, mint 50,000,000,000,000,000,000 $oPEPE using 1 $PEPE, redeem most of the $oPEPE, and leave only 2 wei for the $oPEPE market.

d. Transfer 2,520,870,348,093 $PEPE to oPEPE and enter the market with $oPEPE.

e. Borrowed 334 $ETH

f. Due to precision loss issues, only 1 wei of $oPEPE was redeemed for 2,520,870,348,093 $PEPE.

i. Exchange rate = (total cash + total lending - total reserves) / total supply = 2,520,870,348,093,423,681,390,050,791,472 / 2 = 1,260,435,174,046,711,840,695,025,395,736

ii. Redemption amount = 2,520,870,348,093,423,681,390,050,791,470

iii. Due to transaction truncation, the redemption token = redemption amount / exchange rate = 1.

iv. Liquidating borrower (0xf8e153) 881,647,840 wei $PEPE

v. Redeemed 856,961,701 wei $PEPE.

Website: https://metatrust.io/

Twitter: https://twitter.com/MetatrustLabs

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia