This article is more than three months old

Hacker drains $2.1m through memecoin lending market on Onyx Protocol

Hacker drains $2.1m through memecoin lending market on Onyx Protocol
A hacker took advantage of Onyx's new PEPE market to swipe $2.1 million from the protocol. Credit: Shutterstock / Serg001
  • Hacker exploits new PEPE lending market to steal $2.1 million from Onyx Protocol.
  • Similar exploit cost Hundred Finance $7 million in April.
  • Both Hundred Finance and Onyx Protocol are forks of Compound Finance.

DeFi lending market Onyx Protocol has lost $2.1 million to a hacker after falling foul to a similar exploit to one that cost another protocol Hundred Finance $7 million in April.

The Ethereum-based protocol recently launched a new lending pool for PEPE, a so-called memecoin based on Pepe the Frog which soared to a $1.5 billion market cap earlier this year.

But when a protocol launches a new lending market, it doesn’t initially contain any assets. This made the PEPE pool a ripe target for exploitation.

“The oPEPE market was set up five days ago but didn’t have any funds in it,” Meir Dolev, co-founder of crypto security platform Cyvers, told DL News.

Stay ahead of the game with our weekly newsletters

Dolev explained that the attacker took advantage of the empty oPEPE market by taking out a flash loan and pretending to donate money. This let them borrow from other markets that did have funds.

They then took back the donated money by taking advantage of a known issue with how amounts are rounded up in the protocol’s code.

“It’s similar to the Hundred Finance hack back in April,” Dolev said. The Hundred Finance hacker used the same exploit to manipulate a Wrapped Bitcoin market.

“The core attack steps are the same except that they are using different markets,” Matthew Jiang, director of security services at BlockSec, told DL News.

Join the community to get our latest stories and updates

Before the hack, Onyx held over $2.8 million worth of user deposits. It now has less than $600,000.

Onyx Protocol's total value locked

Onyx Finance did not immediately respond to DL News’ request for comment.

Onyxcoin, Onyx Protocol’s governance and utility token, has traded down only 1% on the day.

Both Hundred Finance and Onyx Protocol are forks of Compound Finance, a lending protocol with over $2.1 billion of user deposits.

A fork is a new protocol created using the same code as an existing one, sometimes with a few minor changes. Because of shared code, any exploits discovered in one fork will almost always apply to others.

Forks are common in crypto due to the open source nature of the industry. It’s common practice for protocols to make their code publicly available for other developers to use or deploy on other blockchains.

Another fork exploited

Onyx Finance is not the first fork hit by an exploit in recent months.

In August, Solidly fork LeetSwap, one of the first protocols to deploy on Coinbase’s new Base blockchain, suffered a $600,000 hack due to bugs in its protocol logic.

Then in October, Stars Arena, a fork of popular social protocol friend.tech, was exploited for $3 million due to an unanticipated bug in its code.

Aave fork Hope.money suffered an $800,000 hack in the same month. The protocol also lost $2 million shortly after it launched in February.

According to BlockSec’s Jiang, one reason forks appear more susceptible to exploits is due to the dangers of opening new markets with no liquidity.

“The prerequisite of the attack is to open a new market and there is no liquidity in the market,” Jiang told DL News. “This might be one possible reason as forked projects may list new markets more often than the original protocol.”

But some, such as crypto security researcher Pascal Caversaccio, believe that developers who fork DeFi protocols should take extra care to check for bugs. The vulnerability was public knowledge after all.

“Negligence,” he said, “can come at a high cost.”

Tim Craig is DL News’ Edinburgh-based DeFi correspondent. Reach out to him with tips at tim@dlnews.com.