Scan to download
Home
Article
Flash
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools
DeInsight 2024

Slow Mist: The attack on Orion Protocol was due to the lack of reentrancy protection in the contract's exchange function

2023-02-03 15:55:04
Collection

ChainCatcher news, this morning the contracts on the ETH and BSC chains of the Orion Protocol project were attacked, with the attacker profiting approximately $3.027 million. The analysis of the attack process and reasons by the SlowMist security team is as follows:

  1. The attacker first called the depositAsset function of the ExchangeWithAtomic contract to make a deposit, putting in 0.5 USDC tokens in preparation for the attack below;

  2. The attacker borrowed 2.8447 million USDT tokens through a flash loan, then called the doSwapThroughOrionPool function of the ExchangeWithAtomic contract to exchange tokens, with the exchange path being [USDC -> ATK (a malicious token created by the attacker) -> USDT];

  3. The result of the exchange is calculated by subtracting the USDT token balance in the ExchangeWithAtomic contract before the exchange (2.8447 million) from the balance after the exchange. However, the problem arises when exchanging USDC -> ATK, which calls the transfer function of the ATK token. This function, maliciously constructed by the attacker, will call the depositAsset function of the ExchangeWithAtomic contract to deposit the borrowed 2.844 million USDT tokens into the ExchangeWithAtomic contract. At this point, the deposit in the ExchangeWithAtomic contract is successfully recorded as 2.8447 million, and the USDT token balance in the ExchangeWithAtomic contract becomes 5.689 million, causing the amount of USDT tokens exchanged by the attacker to be calculated as 5.689 million minus 2.8447 million, which equals 2.8447 million;

  4. After the exchange, the USDT tokens will finally update the ledger of the attack contract in the ExchangeWithAtomic contract by calling the library function creditUserAssets, resulting in the attack contract's USDT token deposit in the ExchangeWithAtomic contract being recorded as 5.689 million;

  5. Finally, the attacker calls the withdraw function in the ExchangeWithAtomic contract to withdraw USDT, repaying the flash loan and converting the remaining 2.836 million USDT tokens into WETH for profit. The attacker used the same method to launch an attack on the BSC chain, profiting $191,000;

The fundamental reason for this attack lies in the lack of reentrancy protection in the contract's exchange function, and the value of the ledger deposit being updated after the exchange is calculated based on the difference in token balances before and after the exchange, allowing the attacker to exploit the fake tokens to reenter the deposit function and obtain more tokens than expected.

Related tags
Orion attack
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
Related reading
The on-chain trading tool SOL Trading Bot is suspected to have been hacked
2024-12-17 08:28
Pudgy Penguins Security Chief: Phishing email attacks related to PENGU tokens have occurred, please remain vigilant community members
2024-12-15 21:06
Rapper superstar Drake's X account is suspected to have been hacked, posting a fake Solana memecoin
2024-12-15 08:25
Scam Sniffer: Two victims recently lost 272 SOL due to a Solana address poisoning attack
2024-12-14 22:31
Related tags
Orion attack
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app