Ovix Protocol Hack - WTF happened?


Disclaimer: The author of this article is a victim of the OVIX hack. The intention is to provide information and raise awareness rather than offer financial or investment advice. It is recommended that readers conduct their research and exercise caution when participating in DeFi protocols.

As an unfortunate victim of the recent OVIX hack, I feel compelled to shed light on the details of this security breach and its impact. This article aims to provide an unbiased account of the hack while sharing my experiences as an affected individual.

Overview

OVIX, a multichain lending protocol has fallen victim to a hack on the Polygon POS network.

The hackers engaged in price manipulation of vGHST and then exploited the relevant lending pools on 0VIX. The exploit resulted in a theft amounting to roughly $4.33 million.

Summary of the Hack

The 0VIX Protocol suffered a well-coordinated atomic DeFi exploit, leading to substantial financial damages. The attackers exploited flash loans, manipulated the price of the vGHST token, and triggered a toxic liquidation spiral. As a result, the protocol's net total value locked (TVL) decreased from $5.8 million to $1.4 million. In addition, asset withdrawals further reduced the liquidity to approximately $1.2 million.

For the Interested

​​The recent OVIX hack, along with the Mango Markets and bZx exchange hacks, are examples of price oracle manipulation attacks that exploit flaws in the calculation of the price of a token. These attacks are not new in DeFi, but they highlight the need for better audits and due diligence when listing assets.

In these attacks, the price oracle of a low liquidity token is manipulated, artificially inflating its price. The attacker then exchanges their holdings of the artificially-inflated token for other tokens with higher liquidity and stable prices.

The OVIX hack involved a vulnerable "vGHST Oracle" introduced on March 17, 2023, according to the joint investigation conducted by PeckShield and the affected 0vixProtocol. The vGHST oracle was found to be susceptible to "donation-based price manipulation." The attacker executed a flash loan deposit of more than 24.5 million USDC as collateral, enabling them to borrow 5.4 million USDT and 720,000 USDC. Through leveraging the vulnerable vGHST oracle, the hacker created a liquidatable borrowing position. This position was subsequently liquidated, allowing the hacker to reclaim the initial USDC collateral.

For a detailed account, check out the post-mortem report released by OVIX.

60a0b50800e096fe59993f81727aab50d657dc7d54103b1d6cbfa3aa63c421ab.png

During the attack, the security partners at Hexagate detected the breach in real-time and promptly halted all protocol contracts. Before the halt, approximately $280k worth of liquidity was withdrawn from the protocol through regular operations. Hexagate followed the attacker's funds onto Ethereum and highlighted a significant interaction with GotchiVault, leading to a subsequent halt of their contracts (after 12 hours).

Investigations revealed that one specific user (0x797ef3a808092557c6c54a0fae161fb41a3ccc5e) managed to extract 255,786 GHST tokens, equivalent to $256,000 in net profits, by taking advantage of the price manipulation 2 hours after the attack.

Following a vote by the GotchiVault DAO, an unconventional solution was implemented to recover stolen funds, resulting in the retrieval of an initial amount of 206k vGHST. However, the remaining 763k GHST used in the exploit is still held by the AaveGotchi DAO, and discussions are ongoing among OVIX and AaveGotchi DAO to determine the fate of these funds.  (More on this later)

It is important to note that the funds used to trigger the price manipulation originated from an AAVE flashloan, which was subsequently repaid using 0VIX user funds. Therefore, the remaining GHST amount cannot be separated from the overall exploit.

OVIX Response

The hack exposed vulnerabilities in the 0VIX Protocol and highlighted the risks associated with toxic liquidation spirals. In addition, it underscored the need for improved security measures, including stricter token listing criteria, implementation of price limits, and robust auditing protocols. The 0VIX Protocol is actively investigating the incident and collaborating with security experts and law enforcement to track the attackers. 

Hacks are not easy to deal with. While it's true that there's no one-size-fits-all approach to handling hacks and exploits in the crypto space, it's important for protocols to prioritize communication with their users in such situations. 

Understandably, the OVIX team is doing its best to rectify the situation, but there is still room for improvement in handling the aftermath of the hack.

For instance, some users have expressed frustration over the team's lack of timely updates and communication. While giving the team time to investigate and resolve the issue is important, regular updates and transparency can go a long way in reassuring affected users and maintaining trust in the protocol.

Ultimately, a protocol is only as strong as its users and community. OVIX can demonstrate its commitment to its users by actively engaging with them and being transparent throughout this process.

Aavegotchi DAO’s Response

Following the hack, there was a call within the Aavegotchi DAO to discuss the next steps and determine the appropriate course of action regarding the funds deposited by the hacker into the Gotchi Vault. The Aavegotchi DAO has expressed openness to receiving a proposal from 0VIX outlining the reasons and methodology for returning the stolen funds. The DAO acknowledges that these funds do not belong to them and expresses concern about their proper handling. They emphasize the need for OVIX to present a clear plan outlining how the funds will be returned to the affected users.

The Aavegotchi DAO's apprehension stems from a desire to ensure the funds are rightfully returned to those impacted by the hack. They raise valid concerns about the potential involvement of bad actors or the funds not being used as intended by OVIX. The aim is to ensure that the impacted users receive their rightful share and are cautious about potential mismanagement or diversion of the funds.

This collaborative effort demonstrates a willingness to engage in a transparent approach to address the situation and assist affected users. The proposal submission process and subsequent discussions between 0VIX and the Aavegotchi DAO will be crucial in determining the resolution and restitution for the affected individuals.

Conclusion

OVIX hack is a sobering event that has brought to light the ongoing challenges in the DeFi space. It represents a significant setback for the protocol and has impacted users with financial losses. This incident emphasizes the critical need for robust security measures to address such issues. It is disheartening to see protocols neglecting security audits and due diligence, prioritizing their own interests over user protection. Unfortunately, users often bear the brunt of the consequences.
The future of OVIX’s recovery remains uncertain & only time will tell how it unfolds.

To stay updated, join the OVIX discord.


If you find this helpful, please support through subscribing and following.

Everythingblockchain 🧐 - Freethinkers, Writers ✍, Blockchain explorers 🔭
In pursuit of simplifying the different blocks of the chain metaverse

Socials

Twitter, Medium, Youtube, Reddit, Substack 

The information provided through this work is intended solely for educational purposes and must not be treated as investment advice. Any lapses in presenting any of the information correctly are ours alone. We disclaim any liability associated with the use of this content.

How do you rate this article?

15


EverythingBlockchain
EverythingBlockchain

Freethinkers Writers ✍ Blockchain explorers 🔭 In pursuit of simplifying the different blocks of the chain metaverse


Everything Blockchain
Everything Blockchain

In quest of the latest, relevant, and helpful content from the blockchain world.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.