Feb 2023 - Orion Protocol Reentrancy Exploit - $3.027m (Global)
Orion Protocol is "[y]our single point of access to the crypto market. Access CEXs, DEXs, and swap pools - directly from your wallet. No account. Global access." "We're here to help you save your time, money, and assets. Access the entire crypto market on one platform, without ever giving up your private keys."
"No one has solved liquidity, custody, accessibility, and scalability in one platform. Until now."
"Built on the most advanced liquidity aggregator ever developed, Orion Protocol solves some of the largest issues in DeFi by aggregating the liquidity of the entire crypto market into one decentralized platform. Governing the protocol is the proprietary staking mechanism Delegated Proof of Broker, fulfilling every function via a decentralized brokerage with the supply-capped ORN token at its core. This underpins each industry-critical solution built on the protocol, from Orion Terminal to Orion Enterprise solutions for blockchains, exchanges, and crypto projects, with thirteen different revenue streams."
"Orion is a new kind of DeFi platform that combines the best features of exchanges, brokerages, and instant trading apps. The platform is built around a liquidity aggregator connected to all of the major crypto exchanges and swap pools (centralized and
decentralized), enabling users to gain the best price for their trades from a single portal. Along with powerful tools for portfolio management, Orion offers exceptional security, convenience, and flexibility. The platform is suitable for experienced traders, institutional traders, and newcomers alike.
The Orion platform and ecosystem is powered by the ORN token, an ERC-20 token. Orion Protocol will be an open source repository for dApps, making all of the platform’s functionality available to developers and businesses, enabling anyone to build powerful financial tools."
"Orion Terminal seamlessly aggregates bottomless liquidity from major exchanges, centralized + decentralized: providing rich trading tools in one easy to use platform. Powered by ORN."
"Don't waste time exchange hopping. Access the liquidity of the entire crypto market on one decentralized platform. Access the liquidity of centralized exchanges, decentralized exchanges, and swapping pools in one place."
"Don’t give up control of your private keys. Your key, your control: access bottomless liquidity without ever giving up your private keys. Simply connect your wallet and execute your order across any major exchange - even those you don’t have accounts with."
"Don't buy or sell unless you're getting the best price. Buy or sell your assets at the best price, every time. Orion aggregates all major exchange liquidity into one seamlessly aggregated order book to give you the best price possible."
"Don't waste money on high trading fees and slippage. Best prices, lowest fees, zero spread. By aggregating every exchanges' order book, Orion provides the best prices and lowest fees in market with almost zero spread - and zero slippage."
"We don’t compete with exchanges: we aggregate them. Instead of competing with exchanges and swapping pools, we unite their order books into one easy-to-use terminal, giving you access to the crypto market in one place."
"Orion Protocol fell prey to a reentrancy exploit on Thursday, losing a total of $3M on ETH and BSC."
"A few hours after the news spread on Twitter, Orion’s CEO announced the loss, clarifying that the damage was contained to an internal broker account and that user funds remain safe."
"The attacker’s account was funded from a Binance-labelled wallet, though the original source was allegedly another CEX, SimpleSwap."
"By creating a fake token (ATK) and routing a swap of the flash loaned funds via ATK, a reentrancy hook called depositAsset within ATK’s transfer function, effectively doubling the attacker’s account balance."
"The attacker first called the depositAsset function of the ExchangeWithAtomic contract to make a deposit of 0.5 USDC tokens in preparation for the following attack:
Next, the attacker makes a flashloan of 284,700 USDT and then calls the doSwapThroughOrionPool function of the ExchangeWithAtomic contract to swap the tokens, the exchange path is "USDC -> ATK(malicious token created by the attacker) -> USDT".
The out amount of the exchange is the USDT balance in the ExchangeWithAtomic contract after the exchange minus the initial balance of 2,844,700 USDT.
The problem arises when a call to the ATK token transfer function during the exchange causes the attacker to re-enter the ExchangeWithAtomic contract depositAsset function, resulting in the transfer of 284.4 million USDT from the flashloan to the ExchangeWithAtomic contract.
The attacker's deposit in the ExchangeWithAtomic contract is recorded as 2,844,700 and the balance of USDT tokens in the contract becomes 5,689,000. As a result, the attacker's exchange of USDT is calculated as 5,689,000 minus 2,844,700.
By calling the library function creditUserAssets to update the attacking contract's ledger in the ExchangeWithAtomic contract used the exchanged USDT, resulting in the attacking contract's final deposit of USDT in the ExchangeWithAtomic contract being recorded as 5.68 million.
Finally, the attacker withdraws the USDT and returns it to the flashloan lender and swaps the remaining 2.836 million USDT into WETH for profit. The attackers used the same method to launch an attack on the BSC chain and made $191,000 in profit.
The root cause of the attack was the contract exchange function is not protected from reentrancy..."
"Stolen funds have mostly been deposited to Tornado Cash, with approximately $1M of ETH remaining in the Ethereum address."
"We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers."
"Moving forward, any and all contracts will be developed in-house to eliminate any potential vulnerabilities from third-party libraries. Our focus is to fortify the Orion Protocol and make sure it remains robust."
Further Analysis
Orion Protocol is a DeFi platform that combines the best features of exchanges, brokerages, and instant trading apps. The platform is built around a liquidity aggregator connected to all of the major crypto exchanges and swap pools, enabling users to gain the best price for their trades from a single portal. The platform is powered by the ORN token and offers exceptional security, convenience, and flexibility. On May 2023, Orion Protocol was exploited via a reentrancy attack, which resulted in a total loss of $3 million on ETH and BSC. The attack was contained to an internal broker account and user funds remain safe. The stolen funds were deposited into Tornado Cash, with approximately $1 million of ETH remaining in the Ethereum address. Orion Protocol believes that the issue was not a result of any shortcomings in its core protocol.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Zunami Protocol Pool Price Imbalance Arbitrage Exploit > > < < BonqDAO Protocol Oracle Hack
Sources/Further Reading
Rekt - Orion Protocol - REKT (Dec 31)
@RektHQ Twitter (Dec 31)
@SlowMist_Team Twitter (Dec 31)
@peckshield Twitter (Dec 31)
Binance Transaction Hash (Txhash) Details | BscScan
(Dec 31)
@alexeykoloskov Twitter (Dec 31)
Orion Protocol (Dec 31)
https://www.orionprotocol.io/hubfs/whitepaper.pdf (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|