Onyx apparently didn't learn their lesson the first time around, when they were exploited for $2 million in November 2023 by an attacker taking advantage of a known vulnerability affecting empty markets on the protocol. This same bug seems to have contributed to this exploit, although Onyx has claimed the hack was due to a separate vulnerability in an NFT liquidation contract.
Onyx hacked for $3.8 million via the same exploit used against them less than a year ago
The Onyx protocol was hacked for a second time by attackers taking advantage of known bugs in forks of the Compound Finance project. Projects regularly fail to patch these bugs, despite many instances of multi-million dollar hacks affecting Compound forks in the past.
Compound DAO passes $24 million proposal in alleged governance attack
A controversial proposal in front of the Compound Finance DAO has narrowly passed, granting 499,000 COMP (~$24 million, and amounting to 5% of the project's treasury) to an outside group. A Compound Finance whale, "Humpy", proposed the vote to allocate the tokens to a protocol created by a group called the "Golden Boys", which Humpy also leads. The vote was the third attempt to allocate tokens to the Golden Boys' group, after two unsuccessful votes in May and earlier in July.
Humpy has previously been accused of governance attacks on other protocols, including Balancer and SushiSwap.
Prior to the proposal's passage, some Compound Finance DAO members raised objections. "In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates," stated Compound Finance security adviser Michael Lewellen, who also described the proposal as "a malicious attempt to steal funds from the protocol".
Afterwards, Lewellen wrote that "OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing and so we are exploring options to mitigate or reverse this outcome."
- "Compound DAO asleep at the wheel as $25M governance 'attack' passes", Protos
- "$24 million Compound Finance proposal passed by whale over DAO objections", The Block
- "Trust Setup for DAO investment into GoldCOMP", Compound Finance discussion
- "Governance Security Notice: goldCOMP Proposal 247", Compound Finance discussion
Popular defi protocol websites replaced with wallet drainers amid mass Squarespace domain hijacking
Websites providing the frontends for some popular defi services, including Compound Finance, were compromised and replaced with wallet drainers: websites resembling the usual frontend, but which drain unsuspecting users' wallets when used.
Somewhat ironically, the "Unstoppable Domains" web3 domain service was also impacted, and their site was offline for a while before they regained control.
The hijacking appears to be thanks to an attack on Squarespace's domain registry. Crypto founder Bobby Ong has suggested that the attack is affecting domains acquired through Google Domains, which sold its business to Squarespace several months ago. "Tthe forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked," he wrote. "Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved."
Web2 is going just great!
Sonne Finance hacked for at least $20 million
The Sonne Finance lending protocol was exploited for at least $20 million as an attacker was able to exploit a vulnerability in some of their smart contracts. Sonne is a fork of the Compound Finance project, which has known vulnerabilities that are sometimes not properly addressed by people who reuse the code — as has happened with Radiant Capital and Rari.
After being alerted to the theft by several security companies, Sonne announced they had paused the contract on the Optimism Ethereum layer-2 chain.
Radiant Capital lending protocol hacked for $4.5 million
Radiant Capital, a cross-chain lending protocol built on the Arbitrum layer-2 network, was hacked for 1,900 ETH (~$4.5 million). The exploit relied on a flaw in the underlying code, which was forked from Compound and Aave. The original code has a known rounding issue, which makes new projects vulnerable to attack shortly after they are deployed if they are not specifically configured to avoid the issue. In this case, the attacker had observed the contract being deployed and performed the exploit only six seconds after the project was activated.
Radiant Capital sent an on-chain message to the attacker, offering to negotiate a bounty.
- Tweet thread by Radiant Capital [archive]
- Tweet thread by PeckShield [archive]
- On-chain message from Radiant Capital to the exploiter [archive]
Wallet gets phished for $4.4 million
Someone had a not so fun end to the year when they fell victim to a phishing attack and had around 275,700 LINK drained from their crypto wallet. Those tokens are priced at around $4.4 million.
The attack was perpetrated by the Pink Drainer group, which had recently compromised the Twitter account of Compound Finance to try to lure its more than 250,000 followers into authorizing the malicious drainer. It's not clear if that's how this wallet was drained, however, as Pink Drainer uses numerous strategies to attract victims.
Onyx hacked for $2.1 million
The Onyx Protocol was hacked for 1,164 ETH (~$2.1 million) after an exploiter took advantage of a known vulnerability affecting forks of Compound Finance. The bug allows attackers to siphon funds from new and unfunded markets on Compound forks — in this case, a new pool that had been created for the PEPE token.
After pulling off the hack, the attacker received the usual flood of on-chain messages from people asking them to share some of their ill-gotten funds. Unusually, the attacker followed through, ultimately sharing 19.5 ETH (~$36,000) out of their spoils.
Onyx is far from the first Compound fork to fail to patch known vulnerabilities and suffer hacks as a result. Hacks stemming from known Compound bugs, such as the attacks on Rari Capital and Sonne Finance, have netted tens of millions of dollars apiece for attackers in the past.
Compound Finance breaks their cETH market for a week
Compound Finance released an update to change the price feed used by the Compound v2 protocol. Despite being audited by three firms, no one caught a bug that caused all transactions for ETH borrowers and lenders to revert, effectively freezing the entire cETH market on the protocol. Because code changes require a seven-day-long vote, the change can't be reverted until a new proposal passes. In the meantime, users with positions they can't access will need to add collateral or repay loans carefully in order to avoid being liquidated if the price of ETH drops by the time the market is operational again.
$80 million stolen from Fei Protocol and Rari
A hacker attacked multiple Rari liquidity pools relating to the Fei Protocol, exploiting a known re-entrancy vulnerability that exists on forks of the Compound protocol. The attacker stole more than $80 million from the projects.
Fei Protocol tweeted that they had paused borrowing to avoid further thefts, and offered a $10 million bug bounty if the hacker returned the money.
Founder of DeFi platform Compound threatens users who received mistaken payments with the IRS
Robert Leshner, the founder of Compound Labs, took an unusual approach when trying to recoup funds that were mistakenly distributed through a $160 million bug in the protocol. He tweeted, "Please return [the funds]. Keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS". The threats were not received particularly well, with some questioning what assumptions Leshner was making about his typical user's tax status, and Leshner subsequently apologized for his "bone-headed" tweet.