Протоколот на Орион хакиран за 3 милиони долари преку напад на повторно влегување

Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on Thursday across both its Ethereum and Binance Smart Chains (BSC) deployments. 

The hacker netted over 1700 ETH, cumulatively worth over $3 million at writing time. 

Another Reentrancy Hack

As објасни by the blockchain security company PeckShield on Twitter, Thursday’s hack was made possible “due to incomplete reentrancy protection.” A reentrancy bug refers to when an attacker may withdraw funds repeatedly from a smart contract at no cost. 

PeckShield elaborated that the swapThroughOrionPool function lets anyone with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of funds. 

In this case, the hacker used a newly constructed token called ATK, and a self-destructing smart contract, to manipulate Orion’s pools. 

4/ The hack is started first on BSC w/ initial fund 0.4 BNB from @ TornadoCash. The ETH hack draws initial fund 0.4 ETH from @SimpleSwap_io. After hack, the gain of 1100 ETH is deposited into @ TornadoCash and other 657 ETH stays in the hacker’s account: https://t.co/wGG6RA0qii pic.twitter.com/lRj9HGEgQc

- PeckShield Inc. (@peckshield) Февруари 3, 2023

Alexey Koloskov, CEO of Orion, published a Тема explaining the exploit shortly after it occurred. 

„Имаме причини да веруваме дека проблемот не е резултат на какви било недостатоци во нашиот јасен протоколски код, туку можеби е предизвикан од ранливост во мешањето библиотеки од трети страни во еден од паметните договори што ги користат нашите експериментални и приватни брокери. ," тој рече. 

Koloskov noted that the exploited contract wasn’t of major import to the public, but was mainly used by one of its experimental brokers with the company treasury. User funds, he said, are 100% safe. 

Nevertheless, Orion’s Deposit function has been closed, and will not be re-opened until the bug is patched and proper audits have taken place. 

The DeFi Honeypot

Money stolen through DeFi hacks is growing over time: In 2022, $3.8 billion was stolen, with $1.7 billion in crypto земени by North Korean hackers alone. 

Much of that money was taken by the North Korean Lazarus Group, which is осомничени to have executed the $100 million Harmony bridge hack in June. 

Some of the most lucrative targets for crypto hacks have been blockchain bridges – where cryptocurrencies backing their tokenized variants circulating on other blockchains are stored.

 In October, Binance Smart Chain (BSC) was paused by validators after a hacker minted 2 Million BNB (worth $600 million at the time) out of thin air by exploiting the blockchain bridge. Much of the BNB was quickly whisked away to other chains in the aftermath.