Wednesday , December 18 2024
Home / Blockchain / Orion Protocol Hacked for $3 Million Through Reentrancy Attack

Orion Protocol Hacked for $3 Million Through Reentrancy Attack

Summary:
Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on Thursday across both its Ethereum and Binance Smart Chains (BSC) deployments.  The hacker netted over 1700 ETH, cumulatively worth over million at writing time.  Another Reentrancy Hack As explained by the blockchain security company PeckShield on Twitter, Thursday’s hack was made possible “due to incomplete reentrancy protection.” A reentrancy bug refers to when an attacker may withdraw funds repeatedly from a smart contract at no cost.  PeckShield elaborated that the swapThroughOrionPool function lets anyone with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of

Topics:
Andrew Throuvalas considers the following as important: , ,

This could be interesting, too:

Chayanika Deka writes Ethena Labs Launches USDtb, Backed by BlackRock’s BUIDL Fund

Wayne Jones writes Prometheum Files Lawsuit Against Critic Matthew Blumberg Amidst Scam Accusations

Wayne Jones writes USDT Transfer Volume on TRON Reaches All-Time High of 7.2B

Chayanika Deka writes Lido Announces Phase-Out of Polygon Liquid Staking Protocol After Community Vote

Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on Thursday across both its Ethereum and Binance Smart Chains (BSC) deployments. 

The hacker netted over 1700 ETH, cumulatively worth over $3 million at writing time. 

Another Reentrancy Hack

As explained by the blockchain security company PeckShield on Twitter, Thursday’s hack was made possible “due to incomplete reentrancy protection.” A reentrancy bug refers to when an attacker may withdraw funds repeatedly from a smart contract at no cost. 

PeckShield elaborated that the swapThroughOrionPool function lets anyone with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of funds. 

In this case, the hacker used a newly constructed token called ATK, and a self-destructing smart contract, to manipulate Orion’s pools. 

Alexey Koloskov, CEO of Orion, published a thread explaining the exploit shortly after it occurred. 

“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said. 

Koloskov noted that the exploited contract wasn’t of major import to the public, but was mainly used by one of its experimental brokers with the company treasury. User funds, he said, are 100% safe. 

Nevertheless, Orion’s Deposit function has been closed, and will not be re-opened until the bug is patched and proper audits have taken place. 

The DeFi Honeypot

Money stolen through DeFi hacks is growing over time: In 2022, $3.8 billion was stolen, with $1.7 billion in crypto taken by North Korean hackers alone. 

Much of that money was taken by the North Korean Lazarus Group, which is suspected to have executed the $100 million Harmony bridge hack in June. 

Some of the most lucrative targets for crypto hacks have been blockchain bridges – where cryptocurrencies backing their tokenized variants circulating on other blockchains are stored.

 In October, Binance Smart Chain (BSC) was paused by validators after a hacker minted 2 Million BNB (worth $600 million at the time) out of thin air by exploiting the blockchain bridge. Much of the BNB was quickly whisked away to other chains in the aftermath. 

You Might Also Like:

Leave a Reply

Your email address will not be published. Required fields are marked *