Summary
- Orion Protocol, a liquidity aggregator for centralized and decentralized exchanges, lost $3 million in one of DeFi’s biggest hacks of the year.
- The hacker used a reentrancy attack to repeatedly withdraw funds from Orion’s smart contract.
- The postmortem revealed that the attacker created a fake token (ATK), manipulated swaps of flash-loaned stablecoins, and artificially deposited the assets twice to withdraw $3 million.
DeFi Hack on Orion Protocol
Last week, the liquidity aggregator for centralized and decentralized exchanges, Orion Protocol, suffered one of DeFi’s biggest hacks of the year. The hacker stole $3 million from Orion Protocol’s liquidity pool by creating a fake token and using flash loans and a reentrancy hook. Orion Protocol’s CEO Alexey Koloskov said only an internal broker account was affected, and users‘ accounts remain safe.
Postmortem Reveals Attack Details
Over the weekend, a postmortem conducted on Orion Protocol revealed that the attacker created a fake token (ATK), manipulated swaps of flash-loaned stablecoins, and artificially deposited the assets twice to withdraw $3 million. On-chain data shows that the hacker has moved most of the funds to the sanction crypto mixer Tornado Cash; however, approximately $1 million worth of ETH remains in their address.
Vulnerability & Exploit Details
Orion Protocol CEO Alexey Koloskov explained that this exploit was not a shortcoming of any core codes but instead caused by „vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers.“ The report states that „the attacker used manipulated swaps of flash loaned stablecoins, artificially depositing the assets twice before withdrawing inflated balances.“