Onyx Protocol (2nd incident): Compound V2 empty-market donation attack — VUSD governance-added market
Onyx Protocol was drained for $3.8M using the exact same Compound V2 empty-market vulnerability that hit it 11 months earlier — after governance added a new VUSD market without first seeding it with liquidity.
Summary #
Onyx Protocol (2nd incident) suffered a Lending / Money Market (Compound V2 fork) on 2024-09-25, resulting in a loss of approximately $4M.
What happened #
Onyx Protocol was drained for $3.8M using the exact same Compound V2 empty-market vulnerability that hit it 11 months earlier — after governance added a new VUSD market without first seeding it with liquidity.
Linked factors #
- RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~2 years 8 months at time of exploit]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — VUSD market newly added via governance]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not advertised publicly]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance vote added the new VUSD market that created the empty-market opportunity]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]