0vix Hack: $2 Million Stolen in Exploit

April 28, 2023

Summary #

On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events.

Attackers #

The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses:

Losses #

$2 million in USDC

Timeline #

April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction
April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit
April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a.m. UTC on May 1, 2023, law enforcement procedures will begin.
May 11,2023: 0VIX published exploit Post-Mortem

Security Failure Causes #

Flash Loans Exploitation: The exploit leveraged flash loans, which allow borrowing large sums without collateral, for price manipulation and creating strain on the system.
Price Oracle Manipulation: The attackers manipulated price oracles, leading the protocol to make decisions based on incorrect asset prices.
Toxic Liquidation Spiral Vulnerability: The protocol was vulnerable to aggressive and poorly managed liquidations, which led to further financial strain.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam