Protect Your Project Today
Strengthen your project with the largest web3 security provider.
A CertiK security expert will review your request and follow up shortly.

Hunting Orion: The $3M Loss from a Reentrancy Attack

Reports ·Incident Analysis ·
Hunting Orion: The $3M Loss from a Reentrancy Attack

Project name: Orion Protocol

Project type: Exchange

Date of exploit: Feb 2, 2023

Asset loss: $3M

Vulnerability: Reentrancy

Date of audit report publishing: May 24, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Orion protocol is a liquidity aggregator that aggregates the liquidity of a single crypto exchange into a decentralized platform. The (vulnerable) exchange contract serves as a router to swap tokens and also allows users to deposit into the contract.

Nature of the Vulnerability

The vulnerability is due to a reentrancy attack targeting the exchange contract, where the attacker can perform a reentrant call to deposit tokens during the swap, thus causing the deposit tokens to also be counted in the swap process.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.57.20 AMScreenshot 2024-01-08 at 5.57.58 AM

Conclusion

On Feb 2, 2023, the Orion Protocol was exploited for $3M due to a reentrancy attack targeting the exchange contract. The compromised contract (eth:0x98a877bb507f19eb43130b688f522a13885cf604) was not audited by CertiK. CertiK only audited for Orion’s token and sale contracts.

References

Rekt news: https://rekt.news/orion-protocol-rekt/

Related Blogs

Gyroscope Incident Analysis
Reports ·Incident Analysis

Gyroscope Incident Analysis

On 30 January 2026, Gyroscope announced via their X account that they had paused liquidity pools due to an issue with their cross-chain contract. The issue led to losses of 6M Gyro Dollar (GYD) tokens with approximately $807k of liquidity extracted by the attacker.

Truebit Incident Analysis
Reports ·Incident Analysis

Truebit Incident Analysis

On 08 January 2026 Truebit was exploited for ~$26.6M due to an overflow issue. A malicious actor minted tokens for zero ETH that they then sold for ~$26.4M in the same transaction. The exploit was followed up by a second attacker who was able to extract a further ~$224k.

GMX Incident Analysis
Reports ·Incident Analysis

GMX Incident Analysis

On 9 July 2025 GMX V1 vault was exploited by a white-hat for ~$42M due to a reentrancy issue. The funds were later returned to GMX who awarded the white-hat a 10% bounty. The whitehat had minted and then staked GLP before creating a short position directly from the vault contract through reentrancy. Executing in this order bypassed the ShortsTracker, and prevented the average short position price from being updated. This occurs when the market price exceeds the tracked average price, resulting in the protocol overestimating unrealized losses. As a result, the Assets Under Management (AUM) calculation was manipulated to inflate the apparent value of GLP.