# Overview On February 2, 2023, the Orion Exchange experienced a significant security breach, losing $191,000 on BNB Chain and 1651 WETH (approx. $2,763,180) on Ethereum. An attacker manipulated the Orion protocol, using malicious tokens to create pair contracts and exploit via a flash loan. This double crediting technique enabled them to illicitly withdraw substantial funds from both networks. # Exploit Transactions: Exploiter wallet funded by Binance: [0x051da5902d95680cb765d60f153ad0dde521f2fb3ff737147e2d06419a2ad4ae](https://etherscan.io/tx/0x051da5902d95680cb765d60f153ad0dde521f2fb3ff737147e2d06419a2ad4ae) BNB Chain Expliot Transaction: [0xfb153c572e304093023b4f9694ef39135b6ed5b2515453173e81ec02df2e2104](https://bscscan.com/tx/0xfb153c572e304093023b4f9694ef39135b6ed5b2515453173e81ec02df2e2104) Ethereum Exploit Transaction: [0xa6f63fcb6bec8818864d96a5b1bb19e8bd85ee37b2cc916412e720988440b2aa](https://etherscan.io/tx/0xa6f63fcb6bec8818864d96a5b1bb19e8bd85ee37b2cc916412e720988440b2aa) Ethereum:Create TokenA (Unverified ERC20 token contract):[0x40edb8fa17fd52547eeec2c635ea8bdc219b7918cf4c71159ded339a753364bd](https://etherscan.io/tx/0x40edb8fa17fd52547eeec2c635ea8bdc219b7918cf4c71159ded339a753364bd) Create OrionPool Pair: 1. [0x40edb8fa17fd52547eeec2c635ea8bdc219b7918cf4c71159ded339a753364bd](https://etherscan.io/tx/0x40edb8fa17fd52547eeec2c635ea8bdc219b7918cf4c71159ded339a753364bd) 2. [0x06238d3b68dbc6e99aef2403cc8c50a5d7261e44fedd1e4f6555e52f1118c1fe](https://etherscan.io/tx/0x06238d3b68dbc6e99aef2403cc8c50a5d7261e44fedd1e4f6555e52f1118c1fe) - Pair address Tether/TokenA: [0x13e557c51C0a37E25E051491037Ee546597c689F](https://etherscan.io/address/0x13e557c51C0a37E25E051491037Ee546597c689F) - Send 0.5 token A to pair [0x0a0573fb9904e6d8dd6cd94db25dfef90179aac3a1a92d509caf2f6aa2a59462](https://etherscan.io/tx/0x0a0573fb9904e6d8dd6cd94db25dfef90179aac3a1a92d509caf2f6aa2a59462) - Mint OrionPool V2 Tokens: [0x0a0573fb9904e6d8dd6cd94db25dfef90179aac3a1a92d509caf2f6aa2a59462](https://etherscan.io/tx/0x0a0573fb9904e6d8dd6cd94db25dfef90179aac3a1a92d509caf2f6aa2a59462) ---- Create 2nd Orion Pool Pair: [0xa17d631e0d768c9a1f2fa68bef89e8e4713be05484ab7aae0765b569a3fe5b69](https://etherscan.io/tx/0xa17d631e0d768c9a1f2fa68bef89e8e4713be05484ab7aae0765b569a3fe5b69) - Pair Address USDC/Token A: [0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2](https://etherscan.io/address/0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2) - Transfer 0.5 Token A to Pair [0x293d557c3427f09824de35882f92a699e4f3e731ef2ad9b4b134f5c980cf98ab](https://etherscan.io/tx/0x293d557c3427f09824de35882f92a699e4f3e731ef2ad9b4b134f5c980cf98ab) - Mint Orion V2 Pool tokens: [0xee3a8434e69ff250449f3e8caefb695249c2f6a28b7cc957ef50eda11946ee78](https://etherscan.io/tx/0xee3a8434e69ff250449f3e8caefb695249c2f6a28b7cc957ef50eda11946ee78) # Addresses Exploiter 1: [0x837962b686fd5a407fb4e5f92e8be86a230484bd](https://etherscan.io/address/0x837962b686fd5a407fb4e5f92e8be86a230484bd) Exploiter 2: [0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1](https://bscscan.com/address/0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1) BSC Chain: - Attacker Contract (Self Destruct): [0x84452042cb7be650be4eb641025ac3c8a0079b67](https://bscscan.com/address/0x84452042cb7be650be4eb641025ac3c8a0079b67) - Attack Token Contract (Unverified): [0xc4da120a4acf413f9af623a2b9e0a9878b6a0afe](https://bscscan.com/address/0xc4da120a4acf413f9af623a2b9e0a9878b6a0afe) - Attack Token pair with bUSD: [0x129ba1141a5ef746f39f4b3bb07b606b2020496a](https://bscscan.com/address/0x129ba1141a5ef746f39f4b3bb07b606b2020496a) - Attack Token pair with USDC: [0x8ac64fcfc483d9343ee11be2c4a2f46c329a37df](https://bscscan.com/address/0x8ac64fcfc483d9343ee11be2c4a2f46c329a37df) Ethereum: - Attacker Contract (Self Destruct): [0x5061f7e6dfc1a867d945d0ec39ea2a33f772380a](https://etherscan.io/address/0x5061f7e6dfc1a867d945d0ec39ea2a33f772380a) - Attacker Token Contract (Unverified): [0x64acd987a8603eeaf1ee8e87addd512908599aec](https://etherscan.io/address/0x64acd987a8603eeaf1ee8e87addd512908599aec) - Attacker token pair USDT: [0x13e557c51C0a37E25E051491037Ee546597c689F](0x13e557c51C0a37E25E051491037Ee546597c689F) - Attacker token pair USDC: [0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2](https://etherscan.io/address/0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2) # Attack Flow The attack flow describes the exploit path on the Ethereum network. The attack transactions above follow the same pattern as the one described below. The attacks showed multiple levels of malicious intent by having to prepare all the contracts, then siphon all the liquidity, and then obfuscate the funds through Tornado Cash. Stage 1. **Prepare** Stage 2. **Exploit** Stage 3. **Run funds through Tornado Cash** ## Stage 1 **1.** Exploiter creates Fake Attack Token on both BSC and Ethereum. **2.** Exploiter creates 2 Orion pool pairs USDT/ATK and USDC/ATK. **3.** Exploiter transfers 0.5 ATK to [0x13e557c51C0a37E25E051491037Ee546597c689F](https://etherscan.io/address/0x13e557c51C0a37E25E051491037Ee546597c689F).        **a.** This transfer sets the malicious token storage value of _transfer to 1  **4.** Exploiter transfers 0.5 ATK to [0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2](https://etherscan.io/address/0x76fe189e4fA5Ff997872DDF44023B04Cd7Cb03d2).        **a.** This transfer sets the malicious token storage value of _transfer to 2.  **5.** Exploiter calls the mint function on the pool to receive OrionV2 Tokens **6.** Exploiter [deploys](https://etherscan.io/tx/0x89a7af2a13ac2ba599aec737d6debf9e3251f224337f4cdd3cd2ab42979fb3f9) attack contract: [0x5061f7e6dfc1a867d945d0ec39ea2a33f772380a](https://etherscan.io/address/0x5061f7e6dfc1a867d945d0ec39ea2a33f772380a) **7.** Exploiter calls `setMain` function on the attack token which loads the Attack contract into the input parameter. **8.** Exploiter Transfers 0.000001 USDT to exploit contract. **9.** Exploiter Transfers 1 USDC to exploit contract. ## Stage 2 **1.** Approve USDT, USDC, and OrionPair USDT to Atomic Exchange. **2.** Sends 0.5 of the 1 USDC deposited and sends it to the Exchange contract. **3.** Create a flash swap for 2,844,766 USDT from Uniswap V2 for an exact amount inside the Orion Protocol. **4.** Swaps 0.0001 USDC for 0.000099680123783317 tokenA (ATK)        **a.** Deposits 2,844,766 USDT to protocol from flash swap.        **b.** CallData shows the route of the swap pathing.               **i.** The path is USDC → Exploit → USDT.               **ii.** Exploiter swaps 0.0001 for .000099680123783317 for .99               **iii.** In stage 1, the attacker token contract was incrementing the `_transfer` variable. This is important as it allows for a pseudo re-entrancy attack. token’s third transfer call, it will trigger the deposit, this allows the re-entrancy to occur. Below is a picture of the decompiled bytecode of the transfer function of Token A.                **iv.** Due to the deposit re-entrancy call during the swap of 2,844,766 USDT, the attacker was able to increase USDT balance to 5,689,532.85 USDT due to incorrect bookkeeping.               **v.** As the of `AmountOut` is now 2,844,766 from `_doSwapTokens()`, this returns the value back to `doSwapThroughOrionPool()`.               **vi.** This will then update the `creditUserAssets()` incorrectly by calling `_updateBalance()`.               **vii.** `_updateBalance()` should add an additional 2,844,766 USDT to the exploiters balance. This will allow the exploiter to drain the funds completely when calling withdraw.                **viii** Swap call ends after deposit goes through.               **ix.** Balance should now be 5,689,328 USDT because of a re-entered swap. **5.** Withdraw all Tether 2,844,766 USDT which was flashloaned and 2,844,766 USDT that was inside of the protocol.        **a.** After withdraw all except for 1 USDT. **6.** Attack Contract calls the self destruct opcode and destroys itself. ### Vulnerability Analysis The issue is found with the `exchange contract`. This is indentical to the Uniswap router - [0x98a877bb507f19eb43130b688f522a13885cf604](https://etherscan.io/address/0x98a877bb507f19eb43130b688f522a13885cf604). The incorrect checks allow for the attacker to double credit their account. This is done via the `transfer()` method in token A calling the deposit function allowing for a psuedo re-entrancy exploit.   When exploit TokenA is created, `_transfer` is a storage variable that is by default set to zero. On the first transfer to the token pair address, this will iterate to `_transfer` = 1 from 0. When the next transfer is done, it will be iterated to 2. Because the exploit function `start()` iterates the `_transfers` the storage variable again, this function starts the exploit.  As the bookkeeping in the protocol was incorrect, a psuedo re-entrancy exploit was able to occur. By choosing a safer approach to updating the state, the exploit would have not been able to maliciously manipulate the price. The incorrect accounting was exploited, as the offender utilized a flashloan to simultaneously swap a minimal amount of tokens and deposit a substantial sum of 2,844,766 USDT into the protocol. Upon the completion of this operation, the exploiter's balance surged, doubling its initial size, thus facilitating the withdrawal of all USDT present on the platform.  ## Stage 3 During the investigation, the attackers wallet was traced back to a Centralized Exchange on the Ethereum Network. [0x051da5902d95680cb765d60f153ad0dde521f2fb3ff737147e2d06419a2ad4ae](https://etherscan.io/tx/0x051da5902d95680cb765d60f153ad0dde521f2fb3ff737147e2d06419a2ad4ae). The initial funding transfer was 0.449 ETH. On the BSC Chain, the exploiter received 0.4 BNB from Tornado cash. Each transaction received from Tornado Cash were transfers of 0.1 BNB each. **Ethereum** As Tornado Cash only allows deposits in increments of 0.1, 1, 10, and 100 Ether, the exploiter chose 100 Ether for each deposit. The following transactions are in order: 1. [0xe09da26a0224485ae797a3c240ff863ec6818ea02bb20dbe5da7c7ef19465fe0](https://etherscan.io/tx/0xe09da26a0224485ae797a3c240ff863ec6818ea02bb20dbe5da7c7ef19465fe0) 2. [0xba665a9152c3e31c49b3a5c1b0d215dbce1b3c7f305d0d63b92f0433e9f88a52](https://etherscan.io/tx/0xba665a9152c3e31c49b3a5c1b0d215dbce1b3c7f305d0d63b92f0433e9f88a52) 3. [0x0525f57aec62035340d88aba19cb0984fbb9ba3c35db0e65d3c21507409a28bd](https://etherscan.io/tx/0x0525f57aec62035340d88aba19cb0984fbb9ba3c35db0e65d3c21507409a28bd) 4. [0xcfcb49d69239ba6be17272457cd8cb5fadbc8d13b86447eb4bc65717efa93fb8](https://etherscan.io/tx/0xcfcb49d69239ba6be17272457cd8cb5fadbc8d13b86447eb4bc65717efa93fb8) 5. [0xc138b7f2c0e5e127e8b4da3434c28fed0c5f0ac60d56a7f57e839fb977764883](https://etherscan.io/tx/0xc138b7f2c0e5e127e8b4da3434c28fed0c5f0ac60d56a7f57e839fb977764883) 6. [0x1853179b82bdc680147955a16222b42724bfb16ccf4a9cfe8c28055a0ef22fae](https://etherscan.io/tx/0x1853179b82bdc680147955a16222b42724bfb16ccf4a9cfe8c28055a0ef22fae) 7. [0x49506b0c519e6b2abd30e0629ad7f8110a41c27b76a0884febf675bf7a812c77](https://etherscan.io/tx/0x49506b0c519e6b2abd30e0629ad7f8110a41c27b76a0884febf675bf7a812c77) 8. [0x83574316d14a1d8c16c225b2f3e4d1b49ecbf8642270b5324d18c152e1e3af42](https://etherscan.io/tx/0x83574316d14a1d8c16c225b2f3e4d1b49ecbf8642270b5324d18c152e1e3af42) 9. [0x934c0f63e97bcebd782ce1e67fb04e4e31a50e1935a6206442a6f3de86629769](https://etherscan.io/tx/0x934c0f63e97bcebd782ce1e67fb04e4e31a50e1935a6206442a6f3de86629769) 10. [0xa7d940a0921f939cb78dee662fe1cab6ad6676b052ae94d03231f3cc899dc13c](https://etherscan.io/tx/0xa7d940a0921f939cb78dee662fe1cab6ad6676b052ae94d03231f3cc899dc13c) 11. [0xa3fd4f4c4dd4d9a2a1fb8e5267c21b35107ca106cc1b6552a287e3acbad845cb](https://etherscan.io/tx/0xa3fd4f4c4dd4d9a2a1fb8e5267c21b35107ca106cc1b6552a287e3acbad845cb) **BSC Network** Total Value Exploited on BSC: $191,000. BSC Tornado Cash Deposits Below: 1. [0xdc0a24b44fd2cbb71bee5eb0a17f8887ed7c1364fc32dacf4cdfcccf96e60079](https://bscscan.com/tx/0xdc0a24b44fd2cbb71bee5eb0a17f8887ed7c1364fc32dacf4cdfcccf96e60079) 2. [0x9ce23e9a84779d89c0e75dca425499b7103122d095bc1374500ebb3c7f879c83](https://bscscan.com/tx/0x9ce23e9a84779d89c0e75dca425499b7103122d095bc1374500ebb3c7f879c83) 3. [0x04b241b4dd59bdb28b60488bd49e2719a21594fa7fc597ee30eaf252da3ba311](https://bscscan.com/tx/0x04b241b4dd59bdb28b60488bd49e2719a21594fa7fc597ee30eaf252da3ba311) 4. [0x202ca109485d4724fb865d4802cbbac14c9384e7b0db4b71499dd49f92da8068](https://bscscan.com/tx/0x202ca109485d4724fb865d4802cbbac14c9384e7b0db4b71499dd49f92da8068) Celer Bridge Transfers: 1. [0xf9051d82bbe3670a432032e19526416b9a1d4a70f17bc8d6860dff378a8692cb](https://bscscan.com/tx/0xf9051d82bbe3670a432032e19526416b9a1d4a70f17bc8d6860dff378a8692cb) 2. [0x12c8412f4d8b54be7ab402a4e2beb9497925362d2ba38471d403846138f39c70](https://bscscan.com/tx/0x12c8412f4d8b54be7ab402a4e2beb9497925362d2ba38471d403846138f39c70) 3. [0xaf7641375c98fe9fcbe21abad0d7389f8931aebd33c9a419b282f7c989185c19](https://bscscan.com/tx/0xaf7641375c98fe9fcbe21abad0d7389f8931aebd33c9a419b282f7c989185c19) 4. [0x0cf7ca20ecb72b899d79f0078c819c29e6556d81dab92631bd6c54bc37c5bc21](https://bscscan.com/tx/0x0cf7ca20ecb72b899d79f0078c819c29e6556d81dab92631bd6c54bc37c5bc21) 5. [0x2d7891196746de097b6e09f104232e7f590117dd49b71cd4fa47f5c0b2e225ae](https://bscscan.com/tx/0x2d7891196746de097b6e09f104232e7f590117dd49b71cd4fa47f5c0b2e225ae) Funds sent from Celer: [0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1](https://etherscan.io/address/0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1)