Orion Protocol, a decentralized protocol enabling liquidity pools to get reliable access and exposure between centralized and decentralized exchanges, was subjected to an exploit due to vulnerabilities from third-party libraries.
The exploit was executed as a reentrancy attack, allowing yet unidentified threat actors to siphon over $3 million off the crypto exchange. The precise nature of the attack has yet to be confirmed, but it is believed that a malicious actor was able to take advantage of information security vulnerabilities within third-party libraries integrated to the protocol.
A reentrancy exploit is a type of attack vector that exploits a vulnerability from within a protocol’s smart contract code to repeatedly access and manipulate functions by repetitive calling. This is deployed by threat actors with the intent of draining funds off of a contract, right before it could update its internal state. Lock functions on smart contracts are not readily available, but can be hardcoded during the execution of its balancer. This is similar to the type of vulnerability reported on UniSwap by Dedaub, a Paris-based blockchain security firm.
An investigation into the matter has been initiated by the protocol’s developers, while its management has promised that they have been taking proactive steps to secure the protocol further.
“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers,” said Alexey Koloskov, CEO of Orion Protocol, while also assuring users of the protocol that their funds are safe.
Blockchain security firm Peckshield, which first identified and disclosed the vulnerability has confirmed further details on the matter, and said that the protocol has been paused, with the root cause already being addressed by Orion Protocol’s team.
This particular incident, alongside other instances of reentrancy attacks across the decentralized web, serves as a reminder of the importance of information security in the crypto sector, especially given the massive implications that smart contract vulnerabilities can play out. The integration of third-party libraries may either be pre-audited or be based off of deals to expand a project’s reach, but compromise in these cases cannot be decided over with the prospect of mere profit or an increase in valuation: user security and peace of mind must come first.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.