Onyx Protocol: A $2.1 Million Exploit Reveals the Risks of Decentralized Lending

In a startling revelation, the decentralized lending protocol, Onyx Protocol, fell victim to a security exploit resulting in a loss of approximately $2.1 million. The exploit carried out using a known bug in the CompoundV2 fork, has sent ripples through the DeFi landscape.


Decentralized finance (DeFi) has been a hot topic in the world of cryptocurrency, promising to democratize finance by removing intermediaries and allowing peer-to-peer transactions. However, the recent exploit of Onyx Protocol, a decentralized peer-to-peer lending protocol, has raised serious concerns about the security of these platforms. The exploit resulted in a loss of approximately $2.1 million, making it one of the most significant security breaches in DeFi to date. This incident serves as a stark reminder of the risks involved in DeFi and underscores the need for robust security measures. In this article, we delve into the details of this exploit and its implications for the future of decentralized finance.

The Onyx Protocol Exploit

The blockchain analytics firm, PeckShield, was the first to disclose the exploit of Onyx Protocol. Their tweet revealed that Onyx Protocol had lost close to $2.1 million in Ethereum (ETH) to the exploiters. It was discovered that the exploiter’s wallet contained 1,164 ETH, which is roughly equivalent to $2.1 million. As of now, the specifics of the exploit are still being uncovered and Onyx Protocol has not yet issued a statement on the matter. This event emphasizes the necessity for strong security measures in DeFi platforms and serves as a stark warning of the potential risks involved.

Official tweet by PeckShield Account


The crypto community has responded to this incident with concern. PeckShield, a blockchain analytics firm, was the first to disclose the exploit, and their tweet about the incident has brought attention to the inherent security risks in DeFi platforms.  

PeckShield via X(Twitter)

Alex Onyx, the community leader of Onyx Protocol, shared on Twitter that Onyx Protocol had experienced an exploit, resulting in a loss of approximately 1,163.53 ETH, which is roughly $2.1 million. 

Alex Onyx via X(Twitter)

He assured the community that they were aware of the situation and had closed the vulnerability. They are currently working on addressing the consequences with their partners. He also provided an update stating that the exploit did not affect the XCN token and its contract, the XCN staking pool, and the Uniswap trading pools, confirming that they are safe.

Alex Onyx via X(Twitter)

The Bigger Picture: Security in Decentralized Finance

The recent exploit of the Onyx Protocol has brought to light the broader implications for security in decentralized finance (DeFi). This is not an isolated incident. The same rounding issue bug that was exploited in the Onyx Protocol was also present in Hundred Finance, another multi-chain lending protocol. This bug led to a significant security breach in Hundred Finance, resulting in a loss of about $7 million due to a hack on the Ethereum layer-2 blockchain, Optimism. The exploit was carried out by taking advantage of an integer rounding vulnerability in the hToken contract logic for redeeming underlying tokens. 

This vulnerability becomes evident when a market lacks liquidity. The attacker was able to drain 1,030 ETH, 1,265,979 USDC, 1,113,431 USDT, 865,143 SUSD, 842,788 DAI, 457,286 FRAX and 20,854 SNX from the protocol. This included assets from the current deployment as well as around $50,000 worth of ETH, USDC and SNX remaining from the previous Optimism Deployment of the app. These incidents serve as stark reminders of the inherent risks involved in DeFi and underscore the need for ongoing vigilance and proactive security measures. 


In conclusion, the recent exploit of the Onyx Protocol, resulting in a loss of approximately $2.1 million, has brought to light the broader implications for security in decentralized finance (DeFi). The exploit was carried out using a known bug in the CompoundV2 fork, a popular platform in the DeFi space. This bug is a rounding issue that has been exploited before, notably in an incident involving Hundred Finance where a hacker extorted $7 million.

From an analyst’s perspective, these incidents highlight the need for DeFi platforms to invest more in security audits and measures. These platforms must learn from such exploits and implement necessary precautions to prevent similar incidents in the future. The future of DeFi depends on its ability to provide secure and reliable services to its users.

Categorized in:

Tagged in: