Decoding OnyxDAO’s 4M Exploit

Overview

On September 3, 2024, Onyx DAO, a protocol derived from Compound Finance, suffered a severe breach. This incident led to a loss of approximately $3.8 million in various cryptocurrencies, primarily affecting the VUSD stablecoin. The breach was facilitated by an old precision issue known in the forked Compound V2 code base that Onyx DAO utilised.

About Project

Onyx DAO is a DeFi protocol that goes against the grain by using experimental tokenomics to prioritise $ONYX holders. Onyx DAO aims to solve current DeFi problems with an experimental, innovative model by combining farming and bonding.

Attack Flow

1.The attacker initiated the exploit by taking a 2,000 ETH flashloan from Balancer, using it to deposit oETH (Onyx’s version of cETH) into the Onyx protocol as collateral.

2. With this collateral, they borrowed various assets including DAI, WBTC, USDT, VUSD, and XCN, reaching the liquidation threshold.

3.The attacker employed a precision loss exploit inherent in the Compound v2 fork to manipulate the oETH exchange rate.

4. By repeatedly minting and redeeming oETH in tiny amounts (e.g., 0.00000001 oETH), they forced the exchange rate to drop significantly.

5. By sending small amounts of oETH to the protocol, the exchange rate between oETH and underlying ETH was distorted, artificially inflating the liquidation conditions and making the attacker's collateral eligible for liquidation.

6. Once the exchange rate was manipulated, the attacker triggered the liquidation process using the liquidateWithSingleRepay function in the NFTLiquidation contract.

7. The vulnerability lay in the lack of validation for key input parameters, such as the repayAmount and extraRepayAmount. The attacker was able to control these values.

8.With a manipulated extraRepayAmount, the attacker liquidated a massive portion of the collateral by repaying just 1 wei of VUSD, gaining nearly all the ETH collateral.

9.The attacker repeated this process across multiple borrowed assets, including DAI, WBTC, USDT, VU

Flow of Funds

Exploit Details

What is the Root Cause?

The root cause was unverified user input during the liquidation process. Specifically, key parameters of the liquidateWithSingleRepay function in the NFTLiquidation contract were controllable by the attacker, allowing manipulation of the extraRepayAmount variable through the repayAmount parameter. By exploiting this, the attacker was able to liquidate all collateral with just one token.

Ways They Could Have Prevented It

1. Insufficient Parameter Validation:

The primary vulnerability arose from the liquidateWithSingleRepay function, where key inputs (like repayAmount and extraRepayAmount) were not adequately validated. This lack of validation enabled the attacker to pass arbitrary values and manipulate the liquidation process to their advantage.

2. Exchange Rate Manipulation:

The attack was made possible by a flaw in the oETH exchange rate calculation, which was vulnerable due to low liquidity. Manipulating exchange rates allowed the attacker to significantly increase their gains during liquidation.

3. Repeat of Known Vulnerabilities:

Onyx Protocol suffered from a recurrent vulnerability found in other Compound v2 forks. This is a cautionary tale for DeFi protocols that reuse codebases without fully addressing potential vulnerabilities.

Audit Guidelines

1. All user inputs must be carefully validated, especially in critical functions like liquidation. Ensure that parameters like repayAmount, extraRepayAmount, and seizeTokenAmount have logical and secure upper and lower bounds.

2. Develop safeguards against flashloan attacks. This could involve limiting the impact of rapid borrowing and repayment cycles or requiring minimum liquidity conditions for sensitive operations.

Why QuillAudits For Web3 Security?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.