0vix Hack: $2 Million Stolen in Exploit

Summary

On April 28, 2023, 0vix, a DeFi protocol, was hacked for $2 million in USDC. The attacker executed a sophisticated exploit that involved flash loans, price manipulation, and a self-executed toxic liquidation spiral. All of this occurred within one transaction composed of 278 events.

Attackers

The attackers remain unidentified. The attacker(s) utilized the following Polygon addresses:

• 0x702ef63881b5241ffb412199547bcd0c6910a970
• 0x407feaec31c16b19f24a8a8846ab4939ed7d7d57
• 0x49c6dd832d76fb9dd0dfd3a889775faa51af095c

Losses

$2 million in USDC

Timeline

• April 28, 2023, 10:45:16 AM +UTC Attacker’s transaction
• April 28, 2023, 11:54 AM +UTC: 0VIX announced a temporary suspension of its POS and zkEVM operations due to an exploit
• April 29, 2023, 03:14:47 PM +UTC: 0VIX Protocol sent a message to the attacker, saying that if no funds are received by 8:00 a.m. UTC on May 1, 2023, law enforcement procedures will begin.
• May 11,2023: 0VIX published exploit Post-Mortem

Security Failure Causes

• Flash Loans Exploitation: The exploit leveraged flash loans, which allow borrowing large sums without collateral, for price manipulation and creating strain on the system.
• Price Oracle Manipulation: The attackers manipulated price oracles, leading the protocol to make decisions based on incorrect asset prices.
• Toxic Liquidation Spiral Vulnerability: The protocol was vulnerable to aggressive and poorly managed liquidations, which led to further financial strain.