Polygon-based lending protocol 0VIX fell victim to a flash loan attack on April 28, 2023, resulting in a loss of approximately $2 million in crypto.
The protocol’s oracles mechanism was exploited, allowing the attacker to manipulate the price of vGHST, a 0VIX token based on Aavegotchi’s GHST asset. The vulnerability in the oracles mechanism was identified by Peckshield, a leading Web3 cybersecurity expert.
The attack began with the attacker depositing $24.5 million in USD Coins (USDC) as collateral and borrowing $5.4 million in U.S. Dollar Tether (USDT) and 720,000 USDC.
They then leveraged their position by borrowing vGHST, causing the low-liquidity coin’s price to skyrocket. The vGHSTOracle failed to mitigate the manipulation, resulting in the attacker’s borrowing position being liquidated and the collateral returned to their pocket.
The team of 0VIX paused all operations on the Polygon (MATIC) and zkEVM networks, urging the attacker to return the stolen money.
However, the attacker remains silent, rejecting the $125,000 bug bounty reward offered by the protocol. The ultimatum has expired, and there is no update from the attacker’s side.
The attack highlights the importance of strong security measures in the DeFi space. Flash loan attacks have become increasingly common, and protocols need to implement robust security measures to protect their users’ funds.
The 0VIX team has vowed to improve the security of their platform and prevent such incidents from happening in the future.