OVIX Protocol Falls Victim To $2 Million Oracle Exploit

OVIX, a Polygon-based lending protocol, recently suffered a major setback after being hit by an exploit that cost the platform at least $2 million.

In response, OVIX temporarily halted its POS and zkEVM operations while it worked to address the issue and minimize the impact on its users.

The intrusion was initially reported by blockchain security company CertiK, and was later substantiated by Arkham Intelligence.

The OVIX protocol allows borrowing against a variety of stablecoins, including Ethereum derivatives and Polygon’s native MATIC token, as well as Aavegotchi’s staked token, vGHST.

Arkham claims that the exploiter deliberately raised the price of vGHST in order to obtain substantial USDC in loans. Once on the Ethereum (ETH) mainnet, the hacker exchanged the stablecoins for 757 ETH.

The intruder utilized the borrowed stablecoins to gain access to the vGHST lending pool and the OVIX lending platform.

Pumping The Price Of GHST 

Blockchain data from CoinMarketCap shows that they borrowed substantial amounts of vGHST, driving up the price of the native currency $GHST by as much as 25% in just half an hour.

The perpetrator made off with the collateral and later traded it in for more tokens.

The Aavegotchi blockchain gaming project uses vGHST as its staking token. It serves as the share token for the native Aavegotchi token, $GHST.

Blocksec, a security and auditing organization, has verified that the value of vGHST was increased artificially, and that the pricing oracle was tampered with.

The hacker had used the vGHST token to exploit the protocol, according to the findings of a study by blockchain security firm PeckShield.

In a statement released on April 28th, OVIX acknowledged the issue and said it was investigating the matter with its security partners.

According to CoinGecko, the value of GHST increased from $1.13 to $1.41.

OVIX Suspends Trading 

OVIX has suspended trading in POS and zkEVM because of the breach. In addition, it was stated that this would have consequences for oToken issuance, transfer, and liquidation.

Such attacks, known in the DeFi community as “price oracle manipulation hacks,” are widespread.

When discussing vulnerabilities in decentralized finance (DeFi) systems, the term “price oracle manipulation hacks” is commonly used.

DeFi platforms can get real-time data on the value of multiple cryptocurrencies and other assets via price oracles, which are external services.

Manipulating the prices reported by the oracle or compromising the oracle’s data feed are both methods of manipulating pricing oracles.

To facilitate other attacks, such as flash loans or liquidity pool exploits, attackers might utilize this phony information to artificially inflate or deflate the value of assets.

The term “flash loan attack” is used to describe a specific kind of hack used to manipulate pricing oracles. An attacker in this scenario would borrow heavily from a DeFi platform, inflate the asset’s actual value with fabricated data, and then sell it at the inflated price.

Once the loan is paid back, the attacker keeps the proceeds.

Total market cap of cryptocurrencies as of Sunday unchanged at $1.16 trillion. Chart by TradingView.com

The Challenge In Detection

Because of the interconnected nature of many DeFi platforms and price oracles, it can be challenging to detect and prevent manipulation attacks on these systems.

Security procedures, such as multi-signature authentication and data verification methods, should be implemented by DeFi platforms and pricing oracle providers to reduce the likelihood of these attacks.

Meanwhile, the OVIX protocol has released a statement, which warns the perpetrators that authorities will get involved if they don’t respond.

-Featured image from Crypto Daily

Share with your friends!

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *


Fatal error: Uncaught wfWAFStorageFileException: Unable to verify temporary file contents for atomic writing. in /www/wwwroot/bitcoinnewsinvest.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:52 Stack trace: #0 /www/wwwroot/bitcoinnewsinvest.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(659): wfWAFStorageFile::atomicFilePutContents() #1 [internal function]: wfWAFStorageFile->saveConfig() #2 {main} thrown in /www/wwwroot/bitcoinnewsinvest.com/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 52