.){kind=link}
On September 26, 2024, VUSD issued a statement confirming a significant security incident involving the Onyx Protocol, resulting in the theft of over $13 million in VUSD. This breach has prompted immediate action, including the suspension of the smart contract associated with the protocol.
Fortunately, the VUSD team has verified that there are no vulnerabilities in its codebase or reserves, ensuring the safety of its assets.
How Did the $13 Million Hack Took Place?
The exploit happened during a liquidity proposal with the Onyx Decentralised Autonomous Organisation (DAO), according to the release. The smart contract was put on hold after the incident to allow for appropriate communication and investigation.
Even though the hacker was able to syphon off a significant sum, just $1.5 million is said to have been sold into liquidity pools, which reduced liquidity on secondary markets.
VUSD’s statement emphasized, “The Onyx Protocol suffered an exploit… where over $13 million of VUSD was hacked and stolen.” The communication also assured users that the VUSD transfer functionality remains operational while the team investigates the situation and blacklists any involved parties.
The attacker planned to use a known precision bug in the modified Compound V2 source to manipulate the market. Thus, they were able to pilfer not just 4.1 million VUSD but also significant quantities of other cryptocurrencies, such as 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT, according to the data from Pecksheild. The hacker was able to profit from the almost empty market by manipulating the exchange rate.
Investigation and Future Measures
To find the people behind the breach, the VUSD team is working closely with the Onyx DAO and the appropriate authorities. After the inquiry is over, they intend to restart the smart contract’s functionality.
Institutional users were further encouraged by the assertion that they could keep minting and redeeming their VUSD at the indicated $1 market rate because the currency is completely backed by assets that are overcollateralized.
In the wake of the breach, VUSD will explore acquiring necessary licenses in certain jurisdictions to enable retail redemptions for its tokens. However, these plans will depend on the ongoing investigation and will be communicated to users at a later date.
The Onyx Protocol had already encountered a breach of a similar nature in October 2023, which led to the theft of $2.1 million. The vulnerability at the time was caused by a rounding error, highlighting persistent worries about the security of the protocol.
Scholars have explained these problems by pointing out that Onyx Protocol is a fork of Compound Finance, which has had its fair share of security concerns in the past. The VUSD community is still holding out hope for a resolution that will bring back the protocol’s functionality and sense of confidence while the investigation progresses.