defirisk.co
rubric v1.7.0

Onyx Protocol: Compound V2 empty-market donation attack — governance-added PEPE market exploited via rounding + exchange rate inflation

Onyx Protocol lost $2.1M on Halloween when a governance vote to add a PEPE memecoin lending market created a textbook Compound V2 empty-market vulnerability — the same bug that had already hit Hundred Finance and Midas Capital earlier that year.

Occurred 2023-10-31 Loss $2M Status closed

Summary #

Onyx Protocol suffered a Lending / Money Market (Compound Finance fork) on 2023-10-31, resulting in a loss of approximately $2M.

What happened #

Onyx Protocol lost $2.1M on Halloween when a governance vote to add a PEPE memecoin lending market created a textbook Compound V2 empty-market vulnerability — the same bug that had already hit Hundred Finance and Midas Capital earlier that year.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-046 — related : ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-072 — causal : Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — governance Proposal 22 enabled the vulnerable PEPE market; detectable pre-exploit risk]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound Finance fork]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound Finance fork]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — Proposal 22 added the PEPE market days before the exploit]