The Onyx Protocol hacker strikes again, this time exploiting a familiar bug to siphon $2.1 million from Tornado Cash. Learn about this decentralized lending platform’s loss and the intriguing connection to a previous $7 million exploit.
In a twist of deja vu, the Onyx Protocol hacker has reared their head once more, making off with a substantial $2.1 million in a cunning exploit targeting Tornado Cash. The assailant capitalized on a known bug linked to the widely-used CompoundV2 fork, which had previously been employed to extort $7 million from Hundred Finance.
The incident unfolded on Oct. 27, and Onyx Protocol’s decentralized, peer-to-peer lending platform fell victim to an attack in a market devoid of liquidity. Notably, this security breach went undetected by the protocol. PeckShield, a blockchain investigator, shed light on the exploit, revealing the hacker’s modus operandi.
#PeckShieldAlert @OnyxProtocol has been exploited for ~2.1M pic.twitter.com/5Z50tCg6MD
— PeckShieldAlert (@PeckShieldAlert) November 1, 2023
The hacker manipulated the so-called oPEPE market, utilizing donations to borrow funds from other markets with liquidity. Subsequently, the ill-gotten funds were redeemed by exploiting the familiar rounding issue.
This exploit’s eerie familiarity harks back to April 16, when the same bug was exploited to pilfer $7 million from Hundred Finance, a multichain lending protocol. In that instance, the attacker manipulated ERC-20 token exchange rates, enabling them to withdraw more tokens than initially deposited, as documented by CertiK.
#CertiKSkynetAlert 🚨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023