The decentralized finance app lost nearly $4 million thanks to an interaction between an old bug and a new input validation vulnerability.
Decentralized finance (DeFi) protocol Onyx was exploited for $3.8 million on Sept. 26, according to a report from blockchain security platform PeckShield. The exploit used a known bug in the Compound Finance v2 codebase — one that had already been used to exploit Onyx previously on Nov. 1. A vulnerability in the non-fungible token (NFT) liquidation contract also contributed to the exploit, the report stated.
In a Sept. 27 X post, the Onyx team claimed that the faulty NFT contract was the root cause of the exploit.
According to the PeckShield report, 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the Dai (DAI) stablecoin and $50,000 worth of the USDt (USDT) stablecoin were drained from the protocol, for a total of over $3.8 million in losses.
