YEREVAN (CoinChapter.com) – Liquidity aggregate Orion Protocol (ORN) was hacked on Feb 2. According to estimations, over $3 million was taken from the platform due to the “vulnerability in its trading pool.” Here are additional details:
Orion Protocol(ORN) hacked
Late on Feb 2, a Twitter user under the pseudonym @spreekaway reported the problem among others. They estimated that $2.76 million evaporated from the mainnet while approximately $200,000 was gone from Binance Smart Chain (BSC).
The Binance team was “immediately notified” of the hack, after which the CEO Changpeng Zhao (CZ) tweeted that no Binance users or assets were affected.
According to findings from crypto security firm Peckshield Inc., the Orion protocol was hacked due to a re-login issue in its core contract.
The hack is made possible due to incomplete reentrancy protection: swapThroughOrionPool func allows user-provided swap path w/ crafted tokens whose transfer can be hijacked into re-entering depositAsset func to increase user balance accounting w/o actually costing funds!
Orion Finance pool is also affected
Allegedly, within minutes of the first hack, another attack occurred targeting the “Orion Finance” pool on the Ethereum scaling solution Arbitrum. Moreover, auditor Marco Paladin issued a warning on his Twitter page BEFORE the rug-pull on Arbitrum, but the presale filled fully in 10 min.
Be careful with interacting with ohm fork “Orion Finance” on @arbitrum presale in 30 minutes. The on-chain contract 0xe1cd602a4ad658f2e0bba76b2c1f3b325840e279 appears to be deployed by serial ruggers.
warned Paladin on Feb 1.
“I’ve got no idea whether this contract is deployed by Orion themselves or not,” said the expert. “BE CAREFUL,” he added and clarified his concerns in the thread that followed. However, despite the warning, $320,000 went to culprit addresses within minutes.
Next time try to weigh your chances before aping. Degeneracy is an inherently net negative. As soon as there’s a likelihood that the team acts maliciously, it’s often not worth it. Stay safe out there, I hope my followers were at least saved from this one, as it got so much hype.
read the latest tweet on Feb 2.