Decoding Orion Protocol’s Reentrancy Exploit | QuillAudits


Introduction to Orion Protocol

Check out the official whitepaper for more details on the project.

Vulnerability Analysis & Impact:

Ethereum Chain Details:

Attack Txn (ETH): 0xa6f63fcb6bec8818864d96a5b1bb19e8bd85ee37b2cc916412e720988440b2aa

BNB Chain Details:

Attack Txn (BSC): 0xfb153c572e304093023b4f9694ef39135b6ed5b2515453173e81ec02df2e2104

The Root Cause:

The ExchangeWithAtomic contract determines the deposit amount depending on the difference between the token count before and after, allowing the attacker to acquire more tokens.

Attack Steps:

  1. The attacker first created a Token contract with a transfer() hook, after which he transferred and authorized the Token.

2. The attacker borrowed tokens using the UNI-V2.swap method and exchanged them with the exchange path [USDC, ATK, USDT]. The ATK token will be used by the attacker for the callback.

3. Due to the callback of the Token contract created by the attacker, the attacker continued the callback through the token’s Transfer function to the depositAsset() function to accumulate the deposit amount and then withdraw the profits.

4. The attacker successfully withdrew 5,689,532 USDT, paid back 2,853,326 USDT, and swapped the remaining USDT for 1,651 WETH as the profit and his contract was self-destructed.

The attacker conducted a similar attack on BNB Chain, earning the exploiter $191,434 in profit. So, the total profit from the attack was approximately $3 million ($191,030 on BSC and $2,836,206 on ETH).

After the Exploit :

Fund Flow:

The hacker then transferred approximately 1100 ETH into Tornado Cash.

As of this writing, the attacker still has approximately $1.1 million (657.5 ETH and 30.4 BNB) in one of his wallets.

How they could have prevented the Exploit?

For more information on preventing reentry vulnerabilities, visit this blog.

Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :



Smart Contract Auditing Experts , Making web3 a safer place .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store