Key takeaways




The known bug allowed $3 million stolen from the Orion Protocol.



Tornado Cash, a cryptocurrency mixer, is used by wallets connected to the event to send ether.




The cryptocurrency exchange Orion Protocol was planning to halt operations on Thursday after an unidentified attacker allegedly stole cryptocurrency valued at millions of dollars. The project’s smart contracts on Ethereum and BNB Chain were locked with a total value of $3 million, which an attacker stole.



According to a tweet from PeckShield, Orion was the target of a reentrancy attack, in which the attacker repeatedly withdrew money from a smart contract. Gal Sagie, CEO of the cybersecurity firm Hypernative, claimed that the attacker utilized a phony token called ATK to control the Orion pools. Additionally, a self-destructing smart contract was used.




1/ Again, a $3M lesson from the reentrancy bug! The @orion_protocol is hacked due to a reentrancy issue in its core contract: ExchangeWithOrionPool. Both eth/bsc deployment are hacked. Here are the two related hack txs: https://t.co/YvRIRq6T57 https://t.co/GbexocEZAo https://t.co/lF13kbMkA8 — PeckShield Inc. (@peckshield) February 3, 2023




Peckshield stated on Twitter that “the protocol is being suspended as we speak.” The business claimed to be helping Orion. The team has finally confirmed the root cause, and they are now resolving the bug,



The losses were pegged at $2.8 million for Orion’s Ethereum implementation and $200,000 for its BSC implementation by on-chain sleuths. Shortly after the incident, an attacker’s wallet started transferring ether tokens through Tornado Cash.



Alexey Koloskov, CEO of Orion Protocol, addressed the problem in a thorough postmortem thread. He first emphasized that his platform’s end-user modules, including Orion Pool, the staking module, the bridge, liquidity providers, and the trading engine, are currently all 100 percent safe. Then he gave the assurance that the disputed contract was not particularly significant for Orion Protocol and had nothing to do with its entire codebase:




“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers.”




As a result, his team will transition to “in-house” smart contracts to eliminate the chance of design defects in third-party technology. Orion is a less vulnerable protocol for contract hacking because of its “transient” TVL, CEO Koloskov emphasized.



Security company PeckShield discovered that reentrancy was used in the vulnerability. An attacker can exploit a smart contract’s reentrancy vulnerability by repeatedly calling a function and taking money out of it before the contract refreshes its internal state. A defect in a smart contract or poor security measures may be to blame for the vulnerability.