- OnyxProtocol (XCN) suffers a $2.1 million loss in a DeFi hack.
- Scammers use a similar vulnerability to the earlier Hundred Finance hack.
- The attackers manipulated an empty contract and used a rounding error in the contract’s redemption function.
The prominent decentralized finance (DeFi) lending protocol OnyxProtocol (XCN) has become one of the latest targets for crypto scammers. In a recent post on the X platform (formerly Twitter), the renowned blockchain security threat tracker SlowMist disclosed that OnyxProtocol lost over $2.1 million following an exploit.
According to the SlowMist team, the hacker exploited the same vulnerability previously exploited in the Hundred Finance hack that occurred early this year. Specifically, the scammers borrowed more funds than expected by manipulating interest rates.
Moreover, SlowMist disclosed that the hacker moved the stolen funds to the well-known sanctioned crypto mixer Tornado Cash to obfuscate traces of the crypto assets. Meanwhile, in a related conversation, PeckShield, another blockchain security tracker, added further context to the OnyxProtocol hack.
PeckShield noted that the scammer’s transaction that exploited the oPEPE market was deployed five days back and had no liquidity. Therefore, the vacant market was manipulated by making donations to it, essentially a flash loan, enabling the attacker to borrow funds from other markets that have liquidity. Subsequently, the attacker exploited a rounding error to redeem the donated funds.
Similarly, PeckShield acknowledged that the invasion was identical to the one observed in Hundred Finance, wherein over seven million dollars were lost. According to an April blog post by growth hacker Rob Behnke, Hundred Finance initially established its WTC hTokens contracts by creating two similar contracts, one active and one empty.
Therefore, attackers abused the exchange rate between WTC and hWTC by donating to the empty contract, draining its value, while also taking advantage of the rounding error in the contract’s redemption function. “This hack highlighted the risks of copy-pasting code from third parties,” Behnke remarked on the Hundred Finance exploit.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
