Orion Protocol Hack Analysis — Missing Reentrancy Protection
Published in
3 min readFeb 8, 2023
Description
On February 2, 2023, it was discovered that contracts on the Orion protocol had been hacked due to another reentrancy vulnerability in one of the protocol’s core contracts, resulting in a $3M profit to attackers from assets deployed on ETH and BSC. Our tool SolidityScan was detecting the vulnerability.
Smart Contract Hack Overview:
- Attackers address: 0x837962, 0x3dabf5
- Attacker’s transaction: 0xfb153c572,0xa6f63fcb
- Self-destruct code: 0x84452042
- Fake Token address: 0x64acd98
- Vulnerable code: 0x98a877bb
- Orion pool official code: 0x5fa0060fc
Decoding the smart contract vulnerability:
- To add tokens to the Uniswap using the
depositAsset()method of ExchangeWithOrionPool, which lacked reentrancy protection/modifiers, the attacker constructed a false token (ATK) with self-destruct that led to thetransfer()function.
- To start the attack, a deposit of 0.5 UDSC was made to the
depositAsset()function after which a flash loan of 191,606 USDC was passed toswapThroughOrionPool()function to swap USDC via the path (USDC-ATK-USDT).
- The attacker reentered the Orion protocol at the moment of swapping through the Path by executing the reentrancy-unprotected
depositAsset()function and depositing the flash borrowed amount to deposit 191,606 USDT.
- The attacker can buy additional tokens since the ExchangeWithAtomic contract calculated the deposit amount based on the difference between the token counts before and after.
- Following the deposit, the attacker stole all the remaining cash from the ExchangeWithAtomic contract and repeated the process on the BSC network, making a $3M profit.
Mitigations and Best Practices:
- Always ensure that every state change happens before calling external contracts, i.e., update balances or code internally before calling external code.
- Use function modifiers that prevent reentrancy.
- Get your codebase audited from third parties.
- Use Open Zepplin’s Re-entrancy Guard.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord
