Contents
- Polygon-based lending protocol 0VIX targeted by flash lending attacks, here’s the scenario
- Hacker rejects $125,000 bug bounty reward
New Polygon (MATIC) DeFi Leveraged for $2M, Here’s How
Vladislav Sopov
0VIX, decentralized lending/borrowing protocol on Polygon’s PoS and zkEVM networks targeted by flash loan attack
Read U.TODAY on
Google News
Malefactors managed to manipulate the price of an asset that was a cornerstone element of 0VIX’s lending module. The team approached the hacker with a message, but they remain silent.
Polygon-based lending protocol 0VIX targeted by flash lending attacks, here’s the scenario
According to a statement shared by the team of 0VIX, a decentralized lending protocol operating on Polygon’s (MATIC) mainchain and its new network Polygon zkEVM, its oracle mechanism was exploited yesterday, April 28, 2023.
Leading Web3 cybersecurity expert Peckshield revealed that the attack was made possible by a flaw in the oracle mechanism of 0VIX. To start the manipulation, the attacker deposited $24.5 million in USD Coins (USDC) as collateral and borrowed $5.4 million in US Dollar Tether (USDT) and 720,000 USDC.
They then initiated a series of leveraged loans of vGHST, a 0VIX token based on Aavegotchi’s GHST assets. As a low-floating coin, vGHST saw its price rocket: vulnerable VGHSTOracle was unable to curb the manipulation. As a result, the loan position of the hacker was liquidated and the collateral returned to his pocket.
In total, the attackers made approximately $2 million in crypto equivalents as a result of this hack.
As covered by U.Today previously, this vector is a common one for attacks in DeFi. In 2022, a series of eight-digit oracle manipulation attacks occurred on Ethereum (ETH), Polygon (MATIC), Solana (SOL) and BNB Chain (BSC).
Hacker rejects $125,000 bug bounty reward
The team of 0VIX stopped all operations on Polygon (MATIC) and zkEVM networks; however, the latter was not affected by the attack. The protocol sent a message to the attacker urging them to return the stolen money.
However, the abusers do not seem to be interested in paying the debt: the ultimatum expired and there is no update from the attackers.
As such, victims are likely to share information about the hack with law enforcement agencies to find the owners of wallets involved in the attack.
