Just recently Orion protocol was hacked to a tune of $3 million due to a reentrancy issue in its core contract: ExchangeWithOrionPool. Orion Protocol is the first gateway to the entire crypto market, aggregating every CEX, DEX, and swap pool into one decentralized platform.
The hacker repeatedly called the “depositAsset” function which exposed the contract to the exploit. It started with initial funding of 0.4BNB from Tornado Cash to Orion, and another 0.4ETH via SimpleSwap. The hacker moved to withdraw about 1100 ETH via Tornado Cash and locked up some 657 ETH in his wallets.
Orion Protocol CEO Alexey Koloskov confirmed the hack in a Twitter thread, stating that the hack was caused by a vulnerability in third-party libraries used during Orion’s development. Both the eth/bsc deployment channel are hacked. Interesting how hackers know what flaws to target. They have great knowledge too bad they are using it wrong.
Orion is secure, Orion is strong ?
All users' funds are safe and secure.
– Staking: secure
– Orion Pool: secure
– Bridge: secure
– Liquidity providers: secure
– Depositless trading: secure
We were notified of an event; here's a ? on what happened. ?
— Alexey Koloskov (@alexeykoloskov) February 2, 2023
The hack was made possible due to incomplete reentrancy protection: swapThroughOrionPool function allows user-provided swap path with crafted tokens whose transfer can be hijacked into re-entering depositAsset function to increase user balance accounting without actually costing funds.
Searching on Google “orion protocol” and it seems the first link goes to fraud website, When entered by mistake and it asks you to sign a suspicious transaction that can get control over your wallet.
Responding to the hack, Changpeng Zhao, CEO at Binance tweeted;
There was a hack in Orion Protocol ($ORN) due to a lack of re-login protection. The loss is ~$3M. Our security team is monitoring the hacker addresses. No Binance users / assets were affected, Stay SAFU.
However, CEO Alexey Koloskov claimed that the stolen funds were from Orion’s Treasury, adding that all users’ funds are safe.
We want to reassure our users that no user experienced any loss during this incident. The assets at risk were in internal broker’s accounts run by ourselves-the Orion team.
To avert potential vulnerabilities from third-party libraries, Koloskov said that the Orion team will prioritize developing all its contracts in-house.