Decentralized exchange platform Orion Protocol has suffered a $3 million hack due to reentrancy issues from third-party libraries.
Orion protocol was designed to enable users to access liquidity pools across centralized and decentralized exchanges right from their non-custodial wallet.
However, an incomplete reentrancy issue caused the protocol to be hijacked by a hacker who stole about $3 million, securities firm Peckshield reported on Jan. 3.
The hacker repeatedly called the “depositAsset” function which exposed the contract to the exploit. It started with initial funding of 0.4BNB from Tornado Cash to Orion, and another 0.4ETH via SimpleSwap.
The hacker moved to withdraw about 1100 ETH via Tornado Cash and locked up some 657 ETH in his wallet address.
Orion Protocol CEO Alexey Koloskov confirmed the hack in a Twitter thread, stating that the hack was caused by a vulnerability in third-party libraries used during Orion’s development.
However, Koloskov claimed that the stolen funds were from Orion’s Treasury, adding that all users’ funds are safe.
“We want to reassure our users that no user experienced any loss during this incident. The assets at risk were in internal broker’s accounts run by ourselves-the Orion team.”
To avert potential vulnerabilities from third-party libraries, Koloskov said that the Orion team will prioritize developing all its contracts in-house.