The decentralized finance ecosystem suffered another blow on September 26, 2024, as OnyxDAO, a DeFi lending protocol built on forked Compound V2 code, fell victim to a flash loan attack that drained approximately $3.8 million in assets. The exploit exposed a persistent vulnerability that had already been used against the protocol less than a year prior, raising serious questions about the security practices of projects relying on inherited code without thorough auditing.
The Exploit Mechanics
The attacker leveraged a known precision loss vulnerability embedded in the Compound V2 codebase that OnyxDAO had implemented without modification. By deploying a malicious smart contract, the attacker manipulated the protocol’s internal exchange rate calculations, artificially inflating the value of small deposits within empty lending markets.
The precision flaw works as follows: when a market has very low liquidity, the exchange rate between the underlying token and the protocol’s interest-bearing token becomes susceptible to manipulation through rounding errors. The attacker exploited this by depositing a minimal amount into an undercollateralized market, then using flash loans to magnify the impact of the rounding discrepancy across multiple transactions.
This allowed the attacker to mint far more tokens than their deposit warranted, ultimately draining 4.1 million VUSD stablecoins along with XCN, DAI, WBTC, and USDT from the protocol’s reserves. Bitcoin traded near $65,181 at the time of the attack, and the broader crypto market was experiencing a bullish momentum shift driven by China’s stimulus announcements, making the exploit’s timing particularly damaging for user confidence.
Affected Systems
The attack specifically targeted OnyxDAO’s lending markets, which operate as decentralized borrowing and lending pools. The protocol classifies as a farm-type yield platform, meaning users deposit collateral to earn yields while borrowers access liquidity against that collateral. The affected markets included VUSD, XCN, DAI, WBTC, and USDT pools.
Critically, this was not a novel attack vector. The same precision vulnerability in forked Compound V2 code had been exploited against OnyxDAO previously, and similar attacks have targeted numerous other protocols that forked the same codebase without addressing the known flaw. The protocol’s smart contracts were unverified, and the team behind it remains anonymous, compounding the difficulty of recovery efforts.
The Mitigation Strategy
Preventing this class of attack requires a multi-layered approach to smart contract security. First, protocols forking existing codebases must conduct thorough audits that specifically examine known vulnerabilities in the upstream project. Compound V2’s precision issues have been well-documented in security research, making their presence in OnyxDAO’s code a clear oversight.
Second, empty or low-liquidity markets represent a significant attack surface. Protocols should implement minimum liquidity thresholds before markets become active, and exchange rate calculations should incorporate safeguards against precision loss in low-liquidity environments. Oracle-based validation of exchange rates can serve as an additional check against manipulation.
Third, bug bounty programs and continuous monitoring are essential. Real-time on-chain monitoring tools can detect unusual transaction patterns—such as rapid state changes within a single block—that often precede or accompany flash loan exploits.
Lessons Learned
The OnyxDAO incident reinforces a troubling pattern in DeFi: protocols continue to fork code without fully understanding its vulnerabilities. The $3.8 million loss was entirely preventable, as the exploit vector was well-known and had been used against the same protocol before. According to Immunefi’s Q3 2024 report published the same day, the crypto industry lost over $413 million to hacks and scams between July and September, with hacker attacks accounting for 99.25 percent of all losses.
The report highlights that DeFi protocols face more frequent attacks but smaller individual losses compared to centralized finance platforms. However, the cumulative impact is substantial: 31 DeFi attacks in Q3 alone resulted in $104 million in losses. Only $14.9 million—3.6 percent of stolen funds—was recovered across all incidents.
User Action Required
If you have funds deposited in OnyxDAO or similar protocols built on forked Compound V2 code, you should immediately assess your exposure. Check whether the protocol has undergone a comprehensive security audit from a reputable firm, and verify whether known Compound V2 vulnerabilities have been patched. Diversify your DeFi exposure across multiple protocols rather than concentrating funds in a single platform, and always prioritize protocols with verified contracts and known development teams over anonymous projects with unaudited code.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
the same Compound V2 precision bug, twice in one year. this isnt a hack, its negligence at this point
twice in one year with the same Compound V2 bug. at some point its not a hack, its a choice to stay vulnerable
twice with the same bug is wild. the first exploit in december was a warning shot and they just… didnt fix it. $3.8M worth of apathy
first hit was december 2023 for 2.1m. second was september 2024 for 3.8m. same code same bug same outcome. this team learned nothing
$3.8M drained because nobody bothered to audit the inherited code. forking Compound is not a security strategy
^ exactly. the exchange rate manipulation on empty markets is a known vector since 2020. auditors should catch this in their sleep
the precision loss on empty markets was literally documented in the compound v2 audit report from 2019. onyx just copy pasted without reading it. twice
forking compound v2 without modifying the exchange rate logic on empty markets is the deFi equivalent of leaving your front door open with a sign that says please dont rob me
empty lending markets being exploitable is such a basic issue. OpenZeppelin has a whole guide on this. no excuses
the OpenZeppelin guide has been out for years. forking without checking inherited edge cases is just lazy engineering
flash loan plus empty market manipulation is the oldest trick in the book. iron bank got hit with the exact same thing in 2021. forking code without fixing known vectors should be negligent homicide for treasuries