Orion protocol chopped by reentrancy attack for $ 3 million

Orion protocol chopped by reentrancy attack for $ 3 million

Orion Protocol-a liquidity agency for cefi and defi exchanges-saw on Thursday how his core contract was hacked on both his Ethereum and his bony Smart Cains (BSC).

The hacker has offset over 1700 ETH, which had a total value of over $ 3 million at the time of writing.

another reentrancy hack

as Explains From the blockchain security company Peckshield on Twitter, the hack on Thursday was made possible "due to an incomplete re-entry protection". A reentrancy bug refers to this if an attacker repeatedly can withdraw funds from a smart contract for free.

Peckshield stated that the swapthhorion pool function enables every token manufactured to hunt his transfer to step back into the deposit function. In this way, users can increase their credit without actual costs for funds.

In this case, the hacker used a newly constructed token called ATK and a self-destructive smart contract to manipulate the Pools from Orion.

4/The hack is first started on BSC with an initial capital of 0.4 bnb @tornadocash . The ETH-Hack pulls the initial capital 0.4 ETH from pic.twitter.com/lrj9hgegang

- Peckshield Inc. (@peckshield) 3. February 2023

Alexey Koloskov, CEO of Orion, published a thread to explain the exploit shortly after its appearance.

"We have reason to assume that the problem is not due to defects in our core protocol code, but possibly caused by a weak point when mixing third-party libraries in one of the smart contracts used by our experimental and private brokers," he said.

Koloskov noticed that the exploited contract was not of great importance for the public, but was mainly used by one of his experimental brokers with the corporate fund. User money, he said, are 100% safe.

Nevertheless, the deposit function was closed by Orion and is not opened again until the error is patched and proper audits have taken place.

the defi honeypot

The money stolen by defi hacks grows over time: in 2022 3.8 billion US dollars were stolen, of which $ 1.7 billion in crypto alone from North Korean hackers.

A large part of this money was taken by the North Korean Lazarus group Probably in June the 100-million dollar-bridge-hack.

Some of the most lucrative goals for crypto hacks were blockchain bridges-where cryptocurrencies are stored that support their tokenized variants that circulate on other blockchains.

in October Binance Smart Chain (BSC) was paused by Validators after a hacker had shaped 2 million BNB (at that time worth $ 600 million) from nowhere by exploiting the blockchain bridge. A large part of the BNB was quickly swept away to other chains subsequently.

.