0VIX Protocol Drained For $2m In Oracle Manipulation Exploit

Polygon lending protocol 0VIX has announced a temporary halt to its POS and zkEVM operations because of an exploit costing the protocol at least $2 million.

0VIX is working with its security partners to look into the current situation that seems to be related to vGHST.

As a result, POS and zkEVM markets have been paused this includes pausing oToken transfers, minting, and liquidations.

Only POS has been currently affected but zkEVM…

— 0VIX | live on zkEVM (@0vixProtocol) April 28, 2023

A joint investigation with blockchain security firm PeckShield revealed that the attacker had managed to exploit the protocol using the vGHST token. vGHST is the staking token of the blockchain gaming project Aavegotchi. It is also the share token for $GHST, Aavegotchi’s native token.

Blocksec, another security and audit firm, confirmed that vGHST was artificially inflated and its price oracle manipulated. The attacker had initially borrowed stablecoins which they used to open up lending on 0VIX and enabled them access to the vGHST lending pool. They then borrowed large amounts of vGHST. This caused the value of the native token $GHST to shoot up by as much as 24.7% in less than half an hour, as blockchain data from CoinMarketCap reveals. The attacker then ran off with the collateral and subsequently exchanged their loot for other tokens.

Attacks like these are commonly called oracle manipulation hacks. The crypto space has seen its fair share of these attacks, most recently with the Mango Markets hack last October 2022 where the attacker had made off with a whopping $117 million.

As for 0VIX’s response, the protocol is not giving up as their joint investigation with PeckShield and Chainalysis has yielded significant results by managing to identify the attacker. An ultimatum was then switfly issued to the attacker via an on-chain message which 0VIX subsequently publicized in a tweet. It states that the protocol is willing to give the attacker $125,000 as bug bounty in return for the rest. Should the attacker not respond, 0VIX has warned that it will share information with law enforcement agencies.

The protocol has since issued the following statement, embedding the warning for the threat actor that law enforcement will be involved if no response is received:

Official message to the attacker:
At 8am UTC 1 May 2023 the law enforcement process is scheduled to begin in the absence of any funds being returned.
We will take the leads we’ve gotten so far (thank you to the public for these), combine it with our tracing we’ve already done on…

— 0VIX | live on zkEVM (@0vixProtocol) April 29, 2023

Hacks and exploits are a real problem, and not just in the crypto space, especially when safeguards are still not properly placed. Attacks like these raise important questions not simply on the security measures that individual exchanges and crypto projects deploy but more importantly, the path Ethereum itself is taking, or has taken, specifically its move from Proof of Work to Proof of Stake.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.