Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 16 | 4 | - | - | 20 |
Fixed | - | - | - | - | 0 |
| Total | 16 | 4 | 0 | 0 | 20 |
Click to show description
Quick Summary On September 26th, 2024, Onyx DAO, a decentralized finance (DeFi) protocol derived from Compound Finance, was exploited due to a precision vulnerability, resulting in a loss of approximately $3.8 million, primarily in VUSD stablecoins. Details of the Exploit The attackers took advantage of a known precision loss vulnerability in the forked Compound V2 code that Onyx DAO implemented. By deploying a malicious contract, they manipulated the market’s exchange rates within the protocol, artificially inflating the value of small deposits. This allowed them to withdraw 4.1 million VUSD along with other cryptocurrencies, such as XCN, DAI, WBTC, and USDT. The attackers executed multiple transactions to miscalculate and inflate their token values, minting excessive amounts of VUSD, which they then converted to other cryptocurrencies. While some of the stolen funds were swapped into ETH, a significant portion remained unswapped, suggesting a strategic move to avoid detection. Block Data Reference Attacker’s Address: 0x085bdff2c522e8637d4154039db8746bb8642bff Malicious Contract: 0x526e8e98356194b64eae4c2d443cc8aad367336f Vulnerable Contract Address: 0x5fdbcd61bc9bd4b6d3fd1f49a5d253165ea11750 Attack Transaction Hash: 0xf7c21600452939a81b599017ee24ee0dfd92aaaccd0a55d02819a7658a6ef635