The Orbit Chain, a multi-asset blockchain that focuses on cross-chain transfers, recently fell victim to a sophisticated exploit. Notably, on December 31, 2023, a series of unauthorized transactions resulted in a significant financial loss, amounting to approximately $81.6 million.
It appears that the exploit was executed by compromising the owner’s private keys, allowing the attacker to create fake signatures for withdrawal transactions. This security breach led to the illegal transfer of several cryptocurrencies, including Ethereum (ETH), Tether (USDT), USD Coin (USDC), Wrapped Bitcoin (WBTC), and the algorithmic stablecoin DAI, to new wallets.
transaction details
Ethereum: An initial small withdrawal of 0.004 ETH was followed by a vault emptying of approximately 9500 ETH.
Tether: The attacker initially withdrew 9.71 USDT and later approximately $30 million in USDT.
USD Coin: Starting with a small amount of 3.92 USDC, the attacker ended up draining around $10 million USDC.
Wrapped Bitcoin: The initial drain was 0.012 WBTC, followed by a substantial withdrawal of approximately 230.879 WBTC.
Technical analysis
The core of the exploit involved the misuse of valid signatures for unauthorized transactions. Orbit Chain’s smart contract validation mechanism lacked the ability to directly link signatures to specific transaction details. This surveillance allowed the attacker, who had access to at least one validator’s private key, to pass the validation checks and execute the fraudulent transactions.
After the exploit, the Orbit Chain team communicated with the attacker, indicating he was willing to negotiate. To prevent such incidents in the future, it is recommended that blockchain protocols improve their validation processes, ensure secure management of private keys, and implement fail-safes against unauthorized transactions. Hardware Security Modules (HSMs) are proposed for better private key management, reducing the risk of similar compromises.
Image source: Shutterstock