📈 Get daily crypto insights that make you smarter about your money

Onyx Protocol Suffers $2.1 Million Exploit Through Empty PEPE Lending Pool

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

On November 1, 2023, the decentralized finance lending protocol Onyx Protocol fell victim to a sophisticated exploit that drained 1,164.53 ETH, approximately $2.1 million at the time of the attack. The breach targeted a newly created and unfunded PEPE token lending market, exploiting a well-known vulnerability in Compound V2 forked code that has now caused cumulative losses exceeding $10 million across similar platforms.

The Exploit Mechanics

The attacker leveraged what security researchers term an “empty pool attack,” a vulnerability inherent in the Compound V2 codebase when initializing new, unfunded markets. Onyx Protocol, a fork of Compound Finance, had recently added a PEPE memecoin lending market through Proposal 22. The alarmingly low community participation in this governance proposal meant insufficient oversight before the new market went live.

The exploit unfolded in several stages. First, the attacker minted oPEPE tokens in the empty pool, then strategically donated assets to inflate the token value. By exploiting a rounding error in the protocol’s redemption logic, the attacker could borrow significantly more assets than legitimately warranted against the overvalued oPEPE collateral. This rounding discrepancy allowed the attacker to redeem more tokens than were actually due, systematically draining the protocol’s liquidity pools.

Blockchain analysis by SlowMist revealed that the attacker’s methods closely mirrored those used in the earlier Hundred Finance exploit, suggesting either the same attacker or shared exploit tooling within the hacking community. The stolen funds—1,164 ETH—were first transferred to an intermediary address before 1,140 ETH were routed through Tornado Cash, a privacy-preserving protocol frequently used to obscure transaction trails.

Affected Systems

The immediate financial impact was severe. Onyx Protocol’s total value locked plummeted 87%, from $2.9 million before the hack to just $392,000 afterward. Beyond the direct theft of 1,164 ETH, the protocol lost an additional 250 ETH as panicked users rushed to withdraw their remaining funds, compounding the damage through a loss of confidence rather than just a loss of capital.

The exploit address (0x085bdff2c522e8637d4154039db8746bb8642bff) and the repeat-exploit address (0x5083956303a145f70ba9f3d80c5e6cb5ac842706) have been flagged by multiple blockchain security firms. Notably, the attacker shared approximately 19.5 ETH of the stolen funds with individuals who contacted them, an unusual gesture that did little to mitigate the broader damage.

The Mitigation Strategy

In the aftermath, the Onyx Protocol team began exploring avenues to compensate affected users and harden their infrastructure. However, the incident underscores a critical lesson for the DeFi ecosystem: forking established protocols without addressing their known vulnerabilities is a recipe for repeated exploits. The same “empty pool” vulnerability in Compound V2 forks has been exploited multiple times across different platforms, demonstrating that the DeFi community has not adequately internalized these lessons.

Effective mitigation requires multi-layered defenses. Protocols should implement thorough audits specifically targeting known vulnerabilities in forked codebases. Governance proposals that add new markets or features should require minimum quorum thresholds to ensure adequate community review. Real-time monitoring systems capable of detecting anomalous borrowing patterns can provide early warnings before full exploitation occurs.

Lessons Learned

The Onyx Protocol exploit reinforces several critical security principles. First, inherited code carries inherited risks—every fork of Compound V2 should treat the empty pool vulnerability as a known threat requiring explicit mitigation. Second, governance participation directly impacts security; Proposal 22 passed with minimal oversight, and the consequences were immediate. Third, DeFi protocols must implement circuit breakers that automatically pause suspicious activity, particularly in newly created markets with minimal liquidity.

For users, this incident serves as a reminder to evaluate the security posture of any protocol before depositing funds. Key indicators include the quality and recency of security audits, the protocol’s governance participation rates, and whether known vulnerabilities in forked code have been explicitly addressed.

User Action Required

If you had funds deposited in Onyx Protocol, monitor the project’s official communication channels for recovery plans and compensation timelines. Verify that any tokens or positions you hold have not been affected by the exploit by checking your wallet against the known exploit addresses. As a general practice, diversify your DeFi exposure across multiple protocols and never deposit more than you can afford to lose in a single platform, particularly those with relatively low total value locked and limited governance participation.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

9 thoughts on “Onyx Protocol Suffers $2.1 Million Exploit Through Empty PEPE Lending Pool”

  1. Priya D.

    1164 ETH drained and the governance proposal had what, single digit votes? when will defi protocols learn that governance participation below 5% is a security risk

    Reply
    1. quorum_check

      Priya D. single digit votes on a proposal adding a memecoin lending market. governance participation is a joke outside the top 5 protocols

      Reply
  2. fork_this_

    compound v2 fork bug strikes again. $10 million cumulative losses across similar platforms and teams keep forking the same vulnerable code without auditing edge cases

    Reply
    1. compound_ghost

      fork_this_ the real question is why does anyone still fork compound v2 in 2023. audited alternatives exist but teams pick the easy route

      Reply
      1. defi_graveyard

        compound_ghost because the alternative is building from scratch which takes 6 months and 3 audits. teams pick speed over safety every time

        Reply
    2. rekt_auditor

      the rounding error in redemption logic is well documented too. at this point if you fork compound v2 without patching the known empty pool issue youre negligent

      Reply
  3. Lian C.

    adding a memecoin lending market with zero liquidity and no extra safeguards was asking for trouble. the empty pool attack vector was literally documented on compound github

    Reply
  4. Aisha M.

    governance proposal 22 had almost zero participation and nobody checked if the new pepe market was safe before launching. this is why defi governance is broken

    Reply
    1. governance_watcher

      Aisha M. proposal 22 had like 5 votes total. governance participation in defi is a joke outside of the top 5 protocols

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$63,946.00+1.0%ETH$1,726.25+1.2%SOL$71.95-0.7%BNB$589.96+1.0%XRP$1.13+0.5%ADA$0.1583+0.6%DOGE$0.0824+0.2%DOT$0.9350-0.7%AVAX$6.22+1.9%LINK$7.87+1.2%UNI$2.970.0%ATOM$1.79+2.2%LTC$44.62+0.4%ARB$0.0831+1.6%NEAR$2.07-1.3%FIL$0.7880+0.7%SUI$0.7183+3.7%BTC$63,946.00+1.0%ETH$1,726.25+1.2%SOL$71.95-0.7%BNB$589.96+1.0%XRP$1.13+0.5%ADA$0.1583+0.6%DOGE$0.0824+0.2%DOT$0.9350-0.7%AVAX$6.22+1.9%LINK$7.87+1.2%UNI$2.970.0%ATOM$1.79+2.2%LTC$44.62+0.4%ARB$0.0831+1.6%NEAR$2.07-1.3%FIL$0.7880+0.7%SUI$0.7183+3.7%
Scroll to Top