Project name: Orion Protocol
Project type: Exchange
Date of exploit: Feb 2, 2023
Asset loss: $3M
Vulnerability: Reentrancy
Date of audit report publishing: May 24, 2021
Conclusion: Out of Audit Scope
Orion protocol is a liquidity aggregator that aggregates the liquidity of a single crypto exchange into a decentralized platform. The (vulnerable) exchange contract serves as a router to swap tokens and also allows users to deposit into the contract.
The vulnerability is due to a reentrancy attack targeting the exchange contract, where the attacker can perform a reentrant call to deposit tokens during the swap, thus causing the deposit tokens to also be counted in the swap process.
On Feb 2, 2023, the Orion Protocol was exploited for $3M due to a reentrancy attack targeting the exchange contract. The compromised contract (eth:0x98a877bb507f19eb43130b688f522a13885cf604) was not audited by CertiK. CertiK only audited for Orion’s token and sale contracts.
Rekt news: https://rekt.news/orion-protocol-rekt/