0vix Hack: $2 Million Stolen in Exploit

Summary

On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events.

Attackers

The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses:

Losses

$2 million in USDC

Timeline

  • April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction
  • April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit
  • April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a.m. UTC on May 1, 2023, law enforcement procedures will begin.
  • May 11,2023: 0VIX published exploit Post-Mortem

Security Failure Causes

  • Flash Loans Exploitation: The exploit leveraged flash loans, which allow borrowing large sums without collateral, for price manipulation and creating strain on the system.
  • Price Oracle Manipulation: The attackers manipulated price oracles, leading the protocol to make decisions based on incorrect asset prices.
  • Toxic Liquidation Spiral Vulnerability: The protocol was vulnerable to aggressive and poorly managed liquidations, which led to further financial strain.