Another exploit has troubled the decentralised finance (DeFi) sector, resulting in a loss of more than $2.1million.
Today, 1 November, blockchain investigator PeckShield, alerted peer-to-peer decentralised lending platform Onyx about the hack that went unnoticed by the protocol. The hacker managed to drain the funds by exploiting a known bug in its codebase.
Known as the “precision loss”, the exploit was executed using an integer rounding issue behind an older forked version of Compound V2, which Onyx had incorporated into its underlying architecture. This was further aided by a flash loan.
The director of security services at the security firm BlockSec, Matthew Jiang, explained the same saying: “The attacker took out a flash loan of a substantial amount of $ETH, swapped it for $PEPE, and donated it to a specific pool to manipulate the exchange rate. Subsequently, due to the so-called precision loss, the attacker was able to withdraw more of the underlying asset by burning fewer shares.”
PeckShield also did an independent investigation on the matter where it confirmed that the alleged liquidity lacking oPEPE market was “abused with donation to borrow funds from other markets with liquidity”.
“The donated funds were then redeemed by exploiting the known rounding issue”, it added.
In April this year, Hundred Finance experienced a similar security breach where an attacker exploited the same bug on the multichain lending protocol. The losses suffered was estimated to be around $7.4m.
The hack involved the manipulation of the exchange rate between ERC-20 tokens and hTOKENS, facilitating the withdrawal of more tokens than they had originally deposited. Blockchain security firm Certik described the same saying-
“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”
As per on-chain data, the hacker behind the recent Onyx hack sent 700 $ETH, around $1.25m, to the crypto mixing service Tornado Cash.
Recently, Tornado Cash has emerged as the focal point of a number of attacks and hacks. It has attracted a lot of attention from malicious actors because of its anonymising feature that conceals the identity of the buyer.
The privacy protocol is now increasingly being associated with attacks and hacks to obscure the origin of funds transacted through it. Even in last month’s Unibot hack, the attacker was seen utilising Tornado Cash to swap the stolen crypto for $ETH.
Two of its founders are already facing allegations for money laundering and sanctions violations. Back in August this year, the Federal Bureau of Investigation, the Justice Department and the Internal Revenue Service’s Criminal Investigation unit charged Roman Storm and Roman Semenov in a joint-action for laundering more than $1 billion in criminal proceeds.
Tornado Cash also faces sanctions at the hands of the US Treasury Department’s Office of Foreign Asset Control (OFAC). This followed the allegations that said North Korea’s Lazarus group was laundering the funds from multiple crypto hacks through it.
Back then, the US Attorney Damien Williams had said in a statement that Tornado Cash and its operators “knowingly facilitated” money laundering.