One asset, which was a key component of the loan module of 0VIX, was the target of criminal activity that involved price manipulation. The team sent a message to the hacker, but they didn’t respond.
Polygon-based lending protocol 0VIX targeted by flash loan attack, here’s scenario
The company behind the decentralised lending protocol 0VIX, which operates on the Polygon (MATIC) main chain and its cutting-edge network Polygon zkEVM, has revealed that its oracles mechanism was compromised yesterday, April 28, 2023.
Leading Web3 cybersecurity specialist Peckshield disclosed that a weakness in 0VIX’s oracles mechanism made the attack possible. The attacker borrowed $5.4 million in U.S. Dollar Tether (USDT) and 720,000 USD Coins (USDC) before depositing $24.5 million in USD Coins (USDC) as collateral to begin the manipulation.
After that, they began a string of leveraged borrowings of vGHST, a 0VIX token based on the GHST asset owned by Aavegotchi. Due to the low liquidity of vGHST, the manipulation was not mitigated by the weak VGHSTOracle. As a consequence, the hacker’s borrowing position was liquidated, and the collateral was given back to them.
The attackers profited from this breach to the tune of almost $2 million in cryptocurrency.
As previously reported by U.Today, this vector is frequently used for assaults in DeFi. Numerous eight-digit attacks involving oracle manipulations occurred in 2022 on the cryptocurrency exchanges Ethereum (ETH), Polygon (MATIC), Solana (SOL), and BNB Chain (BSC).
Hacker rejects $125,000 bug bounty reward
The 0VIX team stopped all activity on the Polygon (MATIC) and zkEVM networks, however the latter network was unaffected by the assault. The protocol urged the attacker to give back the money that was taken by sending a message to them.
The ultimatum’s deadline passed without any more word from the assailants, thus it appears that they are not eager to settle the bill.
As a result, it is possible that the victims would alert law enforcement agencies about the incident in an effort to identify the owners of the compromised wallets.
