<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Onyx Protocol Hack: Flow of Funds Analysis

On November 1st, Onyx Protocol encountered a substantial security breach, leading to a loss of approximately $2.1 million. To carry out the attack, the hackers adeptly leveraged a well-documented rounding-off discrepancy inherent to the widely used CompoundV2 fork.

The compromised oPEPE market had been deployed without any underlying liquidity. This vacant market was tactically manipulated through donations in order to secure loans from more liquid markets. Subsequently, the contributed funds were redeemed by capitalizing on the aforementioned, familiar rounding-off anomaly.

What is Onyx?

Onyx Protocol is a decentralized finance (DeFi) platform, providing users with the capability to generate yield from their assets and access borrowed funds backed by their collateral, encompassing a diverse array of cryptocurrencies, tokens, and NFTs.

Industry Response

PeckShield, a blockchain security and data analytics company, unveiled the intricate specifics of the breach on Twitter. In a sequence of tweets, the company disclosed the pivotal elements of the incident stating: 

“the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other markets with liquidity.  The  donated funds were then redeemed by exploiting the known rounding issue.”

Merkle Science’s Flow of Funds Analysis

 

Merkle Science's Blockchain Forensics tool 'Tracker' visualizing the flow of funds

Summary of the Hack:

  • 4.92 ETH received in Onyx Exploiter Address 1 from Tornado Cash via Intermediary Addresses 1 and 2.
  • Malicious contracts created by Onyx Exploiter Address 1, targeted multiple tokens, accumulating misappropriated funds in a master contract.
  • Conversion of tokens to 1157 ETH via swaps, routed through Onyx Exploiter Address 1, then transmitted to Onyx Exploiter Address 2. 1140 ETH sent to Tornado Cash; the rest to controlled addresses.

 

  • The sequence of events began when Onyx Exploiter Address 1 received operational funds, totaling approximately 4.92 ETH, originating from Tornado Cash, facilitated through Intermediary Addresses 1 and 2.
  • Subsequently, Onyx Exploiter Address 1 orchestrated the creation of a primary malicious contract, alongside seven subsidiary malicious contracts, each tailored for targeting distinct tokens, including Onyx USDT (oUSDT), Onyx DAI (oDAI), Onyx USDC (oUSDC), Onyx PAXG (oPAXG), Onyx LINK (oLINK), Onyx BTC (oBTC), and Onyx ETH (oETH). The master contract held the instructions to coordinate the actions of these associated contracts, orchestrating the attack.
  • Funds were then illicitly siphoned from multiple token contracts under Onyx's control, accumulating within the corresponding associated malicious contracts. These amassed funds were subsequently transferred to the master malicious contract.
  • To obscure their tracks, the malefactors converted the diverse tokens into an approximate sum of 1157 ETH through swaps, and these converted assets were directed to Onyx Exploiter Address 1.
  • From Onyx Exploiter Address 1, the pilfered funds were further routed to Onyx Exploiter Address 2.
  •  Following this, 1140 ETH was sent from Onyx Exploiter Address 2 to Tornado Cash, while the remainder found its way to various associated addresses controlled by the perpetrator.

Merkle Science has taken immediate action to ensure that wallets associated with the Onyx Protocol hack have been tagged across all our tools. This shows direct/indirect exposure to wallets involved in the theft.

Furthermore, our advanced blockchain forensics tool, 'Tracker,' is optimized to provide optimal capabilities for analyzing DeFi and smart contract transactions. It boasts a watchlist feature that promptly alerts users to any inbound or outbound fund transfers from the attacker's address. Additionally, our system encompasses over 22 distinct blockchains and additional L2 chains, facilitating comprehensive fund flow analysis for investigators.