Orion Protocol Hacked, $3 Million Lost: Here's How
PeckShield, a reputable cryptocurrency security research team, unveils the design of alleged attacks against Orion Protocol. Meanwhile, its team says only internal funds were at risk.
Orion Protocol hacked for $3 million thanks to well-known bug: PeckShield
According to the statement shared by PeckShield representatives on Twitter, Orion Protocol, a popular liquidity machine for CEXes and DEXes, suffered a hacker attack today, Feb. 3, 2023.
1/ Again, a $3M lesson from the reentrancy bug! The @orion_protocol is hacked due to a reentrancy issue in its core contract: ExchangeWithOrionPool. Both eth/bsc deployment are hacked. Here are the two related hack txs: https://t.co/YvRIRq6T57https://t.co/GbexocEZAo https://t.co/lF13kbMkA8
— PeckShield Inc. (@peckshield) February 3, 2023
Moreover, yesterday, PeckShield experts highlighted this vulnerability to the protocol's team. Orion's core contract logic was flawed: it allowed user balances to increase, while moving funds without actually depositing money.
Both mechanisms of BNB Chain (BSC) and Ethereum (ETH) were exploited. In total, it took 0.4 BNB and 0.4 ETH for an attacker to drain the protocol for 1,757 Ethers (ETH). Out of this sum, 1,100 Ethers (ETH) have already been laundered through Tornado Cash mixer.
As covered by U.Today previously, Orion Protocol garnered impressive popularity in 2021 when it expanded to BNB Chain (BSC), Polkadot (DOT) and Cardano (ADA), becoming the first multi-chain liquidity aggregator of the DeFi segment.
Orion is secure, no user funds at risk, CEO says
Orion Protocol CEO Alexey Koloskov addressed the issue in a detailed postmortem thread. First, he stressed that all end-user modules of his platform — Orion Pool, staking module, bridge, liquidity providers and trading engine — are 100% secure right now.
Then, he assured that the contract in question was not of particular importance for Orion Protocol and has nothing to do with its core codebase:
We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers.
As such, in the future, his team is going to switch to "in-house" smart contracts to remove the possibility of design flaws in third-party code.
Also, due to the fact that Orion has "transient" TVL, it is among the less-exposed protocols when it comes to contract hacks, CEO Koloskov stressed.