Overview

• On Thursday, Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on the Ethereum and Binance Smart Chains (BSC).
• The hacker was able to net over 1700 ETH, cumulatively worth over $3 million.
• The hack was made possible by an incomplete reentrancy protection vulnerability.

Hacking Explained

The hack was enabled by a reentrancy bug in the swapThroughOrionPool function, which allows users with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of funds. In this case, the hacker used a newly constructed token called ATK and a self-destructing smart contract to manipulate Orion’s pools.

Initial Funds Used

The hack began first on BSC with initial funds of 0.4 BNB from TornadoCash and 0.4 ETH from SimpleSwap_io. After the attack, 1100 ETH was deposited into TornadoCash while 657 ETH remained in the hacker’s account.

Response From Orion Protocol

Alexey Koloskov, CEO of Orion Protocol, published an open letter shortly after becoming aware of the attack: “We are currently working directly with all exchanges involved to ensure that no user funds are affected… We are already making sure our code is secure against similar attacks in future.“

Conclusion

This hack serves as another demonstration that smart contracts remain vulnerable to attacks despite improved security measures and practices being developed within blockchain space. Though no users were exposed to this particular attack, it is important for developers and teams alike to take extra precaution when developing smart contracts in order to protect them from malicious actors.