Орион протокол хакован за 3 милиона долара кроз поновни улазак

Orion Protocol – a liquidity aggregator for both CeFi and DeFi exchanges – saw its core contract hacked on Thursday across both its Ethereum and Binance Smart Chains (BSC) deployments. 

The hacker netted over 1700 ETH, cumulatively worth over $3 million at writing time. 

Another Reentrancy Hack

As објаснио by the blockchain security company PeckShield on Twitter, Thursday’s hack was made possible “due to incomplete reentrancy protection.” A reentrancy bug refers to when an attacker may withdraw funds repeatedly from a smart contract at no cost. 

PeckShield elaborated that the swapThroughOrionPool function lets anyone with crafted tokens to hijack their transfer into re-entering the deposit asset function. This lets users increase their balance without any actual cost of funds. 

In this case, the hacker used a newly constructed token called ATK, and a self-destructing smart contract, to manipulate Orion’s pools. 

4/ The hack is started first on BSC w/ initial fund 0.4 BNB from @ТорнадоЦасх. The ETH hack draws initial fund 0.4 ETH from @СимплеСвап_ио. After hack, the gain of 1100 ETH is deposited into @ТорнадоЦасх and other 657 ETH stays in the hacker’s account: https://t.co/wGG6RA0qii pic.twitter.com/lRj9HGEgQc

- ПецкСхиелд Инц. (@пецксхиелд) 3. фебруара 2023. године

Alexey Koloskov, CEO of Orion, published a нит explaining the exploit shortly after it occurred. 

„Имамо разлога да верујемо да проблем није био резултат било каквих недостатака у нашем основном коду протокола, већ је можда био узрокован рањивости у мешању библиотека трећих страна у једном од паметних уговора које користе наши експериментални и приватни брокери. ," рекао је. 

Koloskov noted that the exploited contract wasn’t of major import to the public, but was mainly used by one of its experimental brokers with the company treasury. User funds, he said, are 100% safe. 

Nevertheless, Orion’s Deposit function has been closed, and will not be re-opened until the bug is patched and proper audits have taken place. 

The DeFi Honeypot

Money stolen through DeFi hacks is growing over time: In 2022, $3.8 billion was stolen, with $1.7 billion in crypto узети by North Korean hackers alone. 

Much of that money was taken by the North Korean Lazarus Group, which is сумња to have executed the $100 million Harmony bridge hack in June. 

Some of the most lucrative targets for crypto hacks have been blockchain bridges – where cryptocurrencies backing their tokenized variants circulating on other blockchains are stored.

 In October, Binance Smart Chain (BSC) was paused by validators after a hacker minted 2 Million BNB (worth $600 million at the time) out of thin air by exploiting the blockchain bridge. Much of the BNB was quickly whisked away to other chains in the aftermath.