On April 28, 2023, 0VIX, a Polygon-based decentralized lending protocol that works on Polygon’s (MATIC) main chain and its novel network Polygon zkEVM, fell victim to a flash loan attack.
The attacker was able to exploit the oracles mechanism of 0VIX, manipulating the price of one asset that was a cornerstone element of the lending module.
According to cybersecurity firm Peckshield, the attacker deposited $24.5 million in USD Coins (USDC) as collateral and borrowed $5.4 million in U.S. Dollar Tether (USDT) and 720,000 USDC.
They then proceeded to engage in a series of leveraged borrowings of vGHST, a 0VIX token based on Aavegotchi’s GHST asset.
The low-liquidity nature of vGHST allowed the attacker to drive up its price, causing the vulnerable VGHSTOracle to fail in mitigating the manipulation.
As a result, the hacker’s borrowing position was liquidated, and the collateral returned to their pocket. The hackers were able to make approximately $2 million in crypto equivalent as a result of this exploit.
The team of 0VIX immediately paused all operations on Polygon (MATIC) and zkEVM networks, although the latter was not affected by the attack.
They also urged the hacker to return the stolen funds, but the attackers remain silent, showing no interest in paying back the debt. In fact, the hackers even rejected the $125,000 bug bounty reward that was offered by the 0VIX team.