An unknown attacker carried out an attack on the decentralised platform Orion Protocol, operating on Ethereum and BNB Chain. The hacker managed to obtain $3 million.
1/ Again, a $3M lesson from the reentrancy bug! The @orion_protocol is hacked due to a reentrancy issue in its core contract: ExchangeWithOrionPool. Both eth/bsc deployment are hacked. Here are the two related hack txs: https://t.co/YvRIRq6T57https://t.co/GbexocEZAo https://t.co/lF13kbMkA8
— PeckShield Inc. (@peckshield) February 3, 2023
According to PeckShield researchers, a reentrancy attack was executed. The vulnerability arises when an attacker repeatedly calls a function and withdraws assets from the smart contract before updating its internal state. Such incidents are possible when there are coding errors and weaknesses in the protocol’s security architecture.
The Orion Protocol team acknowledged the hack and suspended the deposit function.
CEO of the project Alexey Koloskov emphasised, that users did not lose funds — only the company’s assets were affected:
«We want to reassure our users that none of them suffered losses during this incident».
He added that the vulnerability could have arisen from the use of third-party libraries to write smart contracts. Going forward, according to Koloskov, the development team will rely more on in-house resources.
Earlier, due to the reentrancy attack, the Omni lost $1.5 million.