0VIX, decentralized lending/borrowing protocol on Polygon’s PoS and zkEVM networks targeted by flash loan attack
Malefactors managed to manipulate the price of one asset that was a cornerstone element of 0VIX’s lending module. The team addressed the hacker with a message, but they remain silent.
Polygon-based lending protocol 0VIX targeted by flash loan attack, here’s scenario
According to a statement shared by the team of 0VIX, a decentralized lending protocol that works on Polygon’s (MATIC) main chain and its novel network Polygon zkEVM, its oracles mechanism was exploited yesterday, April 28, 2023.
0VIX Protocol Association along with a number of security firms @chainalysis and @peckshield have been investigating today’s unlawful exploit of 0VIX protocol (status update below).
— 0VIX | live on zkEVM (@0vixProtocol) April 28, 2023
Leading Web3 cybersecurity expert Peckshield revealed that the attack became possible due to a flaw in the oracles mechanism of 0VIX. In order to start the manipulation, the attacker deposited $24.5 million in USD Coins (USDC) as collateral and borrowed $5.4 million in U.S. Dollar Tether (USDT) and 720,000 USDC.
Then, they started a series of leveraged borrowings of vGHST, a 0VIX token based on Aavegotchi’s GHST asset. As a low-liquid coin, vGHST saw its price rocket: vulnerable VGHSTOracle failed to mitigate the manipulation. As a result, the borrowing position of the hacker was liquidated and the collateral returned to their pocket.
In total, the attackers made approximately $2 million in crypto equivalent as a result of this hack.
As covered by U.Today previously, this vector is a common one for attacks in DeFi. In 2022, a number of eight-digit attacks with oracles manipulations happened on Ethereum (ETH), Polygon (MATIC), Solana (SOL) and BNB Chain (BSC).
Hacker rejects $125,000 bug bounty reward
The team of 0VIX paused all operations on Polygon (MATIC) and zkEVM networks; however, the latter was not affected by the attack. The protocol sent a message to the attacker urging them to return the stolen money.
However, the malefactors do not seem to be interested in paying the debt: The term of the ultimatum expired and there is no update from the attackers’ side.
The attacker still has about 30minutes to respond to this message after which there will be an update.https://t.co/cxQUfYDzdb
— 0VIX | live on zkEVM (@0vixProtocol) April 29, 2023
As such, the victims will likely be sharing information about the hack with law enforcement bodies to find the owners of wallets involved in the attack.