Orange Finance warned all its users not to interact with its smart contracts on Arbitrum, as they have been compromised by a hacker. The attacker also withdrew funds from some of the contracts, with losses up to around $840K.

Orange Finance’s smart contracts on the Arbitrum network have been compromised, and funds have been stolen. The project warned its users to check their wallets and revoke any permissions for smart contracts to avoid losses. 

The exploit arrives after a year of peak phishing activity, aiming to exploit wallet owners and project teams through malicious links or software. At this point, it is uncertain how the hacker managed to gain control of the multisig wallets and contracts, as well as the liquidity vaults.

The attacker managed to drain liquidity vaults for tokens and stablecoins. Several vault addresses have been drained, though the protocol retains around 50% of its liquidity.

Please check your wallet and revoke approves to Orange Finance. https://t.co/mEVJ8GTR8v

— Orange Finance🍊 (@0xOrangeFinance) January 8, 2025

Orange Finance is still investigating the nature of the exploit

The attacker managed to gain control of the admin wallet for Orange Finance, changing the behavior of all smart contracts. The attacker most probably exploited low security on the project’s multisig wallet, which was overlooked despite previous security audits. 

The Orange Finance team sent out an on-chain message to the hacker, suggesting the funds may be returned in exchange for treating the accident as a white-hat attempt.

The losses from taking control of the project’s vaults are estimated at $840,000, though the final result may be higher. The assets stolen included stablecoins and WETH, and have all been converted to ETH and traded already. 

Orange Finance has closed its stablecoin vault and warned of other potentially compromised addresses. The hacker had full control of the transfers, and there are no track records of simply using the smart contract’s own logic. 

The team is still investigating the exploit and warning users not to attempt to withdraw any remaining liquidity. 

Orange Finance is one of the most used liquidity aggregation protocols on Arbitrum. At its peak, the project held $1.94M in total value locked. The attack did not fully drain all vaults, as the protocol retains around $731K. 

Arbitrum carries more than $980M in DEX trading activity, with liquidity inflows from Ethereum. The L2 chain is one of the most liquid venues for DEX trading, due to the inflow of stablecoins and the extremely low trading fees. 

Stryke Protocol also affected

The hacker also exploited the vaults of Stryke Protocol, hitting its liquidity provision market. The project claimed its main features remain secure and uncompromised, but has temporarily stopped all its activity on Arbitrum. 

Orange Finance is a partner protocol to Stryke, specifically targeting Arbitrum activities with concentrated liquidity. Stryke itself has not lost funds directly, outside the limited number of vaults on Orange Finance. 

The biggest problem from the closed smart contracts is that both protocols have open positions, which may be liquidated in cases of market volatility. Liquidity providers may incur losses for some of their positions if the protocol remains closed. Users are receiving failed transaction notices as they are unable to secure their positions. 

Stryke Protocol holds around $2.17M in liquidity, and it is a relatively minor market for liquidity. The project, formerly known as Dopex, trades BTC, ETH, ARB, and BOOP options.

Stryke Protocol, like Orange Protocol, is still tokenless, with points rewarded for the activity. The protocols have not mentioned an upcoming airdrop, but may still attract users expecting a token in the future. Fortunately, the hack did not affect any existing tokens, as market losses are usually higher compared to the hack itself. 

The protocols are attractive for offering higher returns in exchange for liquidity to some of the key trading pairs. Stryke Protocol and OrangeProtocol are boosting activities on major DEXs, including Uniswap and PancakeSwap, focusing on some of the most active and liquid pairs. The protocol achieved extremely high payouts for the vaults to offset the potential risk. Recently, some of the vaults brought more than 1,020% annualized to the providers of concentrated liquidity.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan