Orion Protocol Hacked for $3 Million Through Reentrancy Attack
Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on Thursday across both its Ethereum and Binance Smart Chains (BSC) deployments.
The hacker netted over 1700 ETH, cumulatively worth over $3 million at writing time.
Another Reentrancy Hack
As explained by the blockchain security company PeckShield on Twitter, Thursday’s hack was made possible “due to incomplete reentrancy protection.” A reentrancy bug refers to when an attacker may withdraw funds repeatedly from a smart contract at no cost.
PeckShield elaborated that the swapThroughOrionPool function lets anyone with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of funds.
In this case, the hacker used a newly constructed token called ATK, and a self-destructing smart contract, to manipulate Orion’s pools.
4/ The hack is started first on BSC w/ initial fund 0.4 BNB from @TornadoCash. The ETH hack draws initial fund 0.4 ETH from @SimpleSwap_io. After hack, the gain of 1100 ETH is deposited into @TornadoCash and other 657 ETH stays in the hacker’s account: https://t.co/wGG6RA0qii pic.twitter.com/lRj9HGEgQc
— PeckShield Inc. (@peckshield) February 3, 2023
Alexey Koloskov, CEO of Orion, published a thread explaining the exploit shortly after it occurred.
“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said.
Koloskov noted that the exploited contract wasn’t of major import to the public, but was mainly used by one of its experimental brokers with the company treasury. User funds, he said, are 100% safe.
Nevertheless, Orion’s Deposit function has been closed, and will not be re-opened until the bug is patched and proper audits have taken place.
The DeFi Honeypot
Money stolen through DeFi hacks is growing over time: In 2022, $3.8 billion was stolen, with $1.7 billion in crypto taken by North Korean hackers alone.
Much of that money was taken by the North Korean Lazarus Group, which is suspected to have executed the $100 million Harmony bridge hack in June.
Some of the most lucrative targets for crypto hacks have been blockchain bridges – where cryptocurrencies backing their tokenized variants circulating on other blockchains are stored.
In October, Binance Smart Chain (BSC) was paused by validators after a hacker minted 2 Million BNB (worth $600 million at the time) out of thin air by exploiting the blockchain bridge. Much of the BNB was quickly whisked away to other chains in the aftermath.
Back to the list