U.Today - has reported that Polygon's POS-based multichain lending protocol 0VIX has been hacked with a total loss of about $2 million.
This includes 1.45 million USDC; 58,400 USDT and 9500 GHST. The hacker has started moving the funds, bridging them to Ethereum, and has converted 1,070 ETH.
Blockchain security firm PeckShield has confirmed the incident and unveiled the root cause following a joint investigation with the affected 0vixProtocol. The root cause was determined to be the introduction of a vulnerable "VGHSTOracle," which was deployed on March 17, 2023. The VGHSTOracle suffers from what it described as "donation-based price manipulation."
Explaining further details, the hack involved a flash loan deposit of over 24.5 million USDC as collateral to borrow 5.4 million USDT and 720,000 USDC.
The exploit involved a series of leveraged borrowings from the vulnerable vGHST oracle, which made the hacker's borrowing position liquidatable. The borrow position was then liquidated to take back the original USDC collateral.
Flash loans allow users of DeFi to borrow millions of dollars with zero collateral. Attackers sometimes use them to gain funds to carry out exploits on decentralized systems.
In March, an attacker used a flash loan to conduct an exploit on DeFi lending protocol Euler Finance, which resulted in losses of almost $200 million. This includes Dai (DAI), wrapped Bitcoin (WBTC) staked Ether (sETH), and USDC.
In a happy ending, the exploiter apparently apologized in a message attached to one of the blockchain transactions and returned the majority of the stolen funds to the protocol.
OVIX gives update
In a tweet, confirmed the incident and said it was working with its security partners to look into the current situation that seems to be related to vGHST.As a result, it says it is pausing POS and zkEVM markets; this includes pausing oToken transfers, minting and liquidations.
Only POS has been affected currently, but zkEVM has been paused as a precaution and will likely be enabled again shortly.