$2 million OnyxProtocol Precision Loss Vulnerability: A Technical Deep Dive

In the ever-evolving landscape of blockchain technology, staying a step ahead in terms of security is not just ideal — it’s a necessity. Today expert blockchain security engineers and auditors, we explore the recent precision loss vulnerability that led to a severe exploit of the OnyxProtocol, resulting in a loss of approximately $2 million.

Understanding the Attack Vector

The vulnerability was exposed in the oPEPE market, soon after its initialization by proposal 22. The exploit followed a pattern of manipulating the exchange rate through precision losses — a classic yet potent problem in smart contract security.

For those interested in a detailed transactional overview, the attack transaction is available here: Attack TX

The Exploiter’s Methodology

The attacker initiated the exploit by depositing an insignificant amount of shares against a disproportionately large sum of PEPE tokens to skew the exchange rate. The imbalance created enabled the borrowing of Ethereum from the market at a highly favorable rate. This was followed by redeeming the PEPE tokens back to the attacker, exploiting the precision loss bug in the redeemUnderlying function.

Key Addresses involved in this exploit are as follows:

• Attacker: Etherscan Attacker Address
• Attack Contract: Etherscan Attack Contract
• Vulnerable Onyx Contract: Etherscan Vulnerable Contract

For complementary analysis, you may refer to the associated Twitter update from Phalcon and the descriptive attack vector from DecurityHQ.

A Closer Look at The Breach

The exploit was carried out by leveraging a series of token swaps alongside the minting and borrowing behaviors of the oPEPE market. The associated Proof of Concept (PoC) demonstrates all these actions in a step-by-step execution.

The attacker uses a flash loan to start the exploit, borrowing a large amount of WETH, and then swapping it for PEPE tokens. The significance of this attack is the manipulation of the exchange rate in the IntermediateContractETH and IntermediateContractToken.

The Vulnerability in Detail

A sharp eye would spot the crux of the exploit in these lines within the IntermediateContractETH contract:

oPEPE.redeem(oPEPE.totalSupply() - 2);
uint256 redeemAmt = PEPE.balanceOf(address(this)) - 1;
...
oPEPE.redeemUnderlying(redeemAmt);

The attacker takes advantage of the integer underflow vulnerability to redeem far more tokens than entitled. The computation disregards the fact that the totalsupply minus 2 could underflow, allowing the attacker to receive almost all of the underlying asset without owning the majority of shares.

Implications for Security Measures

It is fundamental to not only analyze this attack thoroughly but to also utilize this exploit to strengthen our security checks. The precision loss issue is a foreseeable vulnerability, which means that with the right auditing protocols and checks in places such as overflow and underflow prevention mechanisms, it could be avoided.

Final Thoughts and Consequences

The Onyx Protocol attack is yet another reminder of the complexity inherent in smart contract systems and the ingenuity malicious actors apply to exploit them. As blockchain security engineers, we must scrutinize and test contracts with adversarial conditions in mind.

Stay vigilant, continuously review smart contract codes, keep yourselves updated with the latest in security practices, and remember, the cost of a security lapse can be significant, not just financially but also in terms of user trust and product integrity.

For more on blockchain security insights, let’s continue the conversation on Twitter and LinkedIn.