On January 1, 2024, according to monitoring data from Beosin EagleEye, the Orbit Chain project suffered an attack resulting in a loss of at least $80 million. Beosin Trace analysis reveals that the hacker’s address (0x27e2cc59a64d705a6c3d3d306186c2a55dcd5710) initiated a small-scale attack a day prior, using the stolen ETH as the transaction fee source for the remaining five addresses involved in the attack.
Orbit Chain is a cross-chain bridge platform, allowing users to use various encrypted assets from different blockchains on a single chain. The project has temporarily suspended the cross-chain bridge contract and is in communication with the hacker. Beosin’s security team conducted an immediate analysis of this security incident.
Event Analysis
The main aspect of this incident involved the attacker directly calling the withdraw function of the Orbit Chain: Bridge contract to transfer assets.
Further analysis of the withdraw function’s code reveals that the function uses a signature verification method to ensure the security and legitimacy of the loan.
In blockchain transactions, signature verification is a common security mechanism used to confirm whether the initiator of a transaction has sufficient permissions and control. In the withdraw function, the signature verification method ensures that only authorized users or contracts can successfully call the function and transfer assets.
Upon entering the signature verification function (_validate), it can be observed that the function returns the number of owner signatures, crucial information for verifying the legitimacy and security of the transaction.
By returning the number of owner signatures, the compliance and authenticity of the transaction can be verified to some extent. Depending on the specific implementation, the number of owner signatures may be compared to a pre-set threshold to determine whether the conditions for executing the transaction are met.
The subsequent step involves checking whether this quantity is greater than or equal to the required value. If the conditions are met, the withdrawal is executed.
According to on-chain data, there are a total of 10 addresses managing this contract. The required value is 7, indicating that 70% of administrator signatures are required to execute the withdrawal transaction.
In summary, the cause of the incident appears to be a compromise of the server holding the administrator’s private keys.
Attack Process
According to on-chain data, the hacker initiated attacks on the Orbit Chain project progressively starting from December 30, 2023, 03:39:35 PM +UTC. The amount of ETH stolen by the hacker was relatively small, and the stolen ETH was sent to several other hacker addresses as transaction fees.
Several other hacker addresses subsequently attacked Orbit Chain’s DAI, WBTC, ETH, USDC, and USDT on December 31, 2023, 9:00 PM +UTC.
Funds Tracking
As of the time of writing, the stolen funds were transferred to the five addresses mentioned earlier after the formal initiation of the attack. In five separate transactions, each sent to a new wallet, Orbit Bridge sent $50 million in stablecoins (30 million Tether, 10 million DAI, and 10 million USDC), 231 wBTC (approximately $10 million), and 9,500 ETH (approximately $21.5 million).
This cross-chain bridge security incident serves as a security reminder, emphasizing that security should always be a top consideration in designing and implementing blockchain systems.
Firstly, attention should be given to code security. Contract code is a core component of blockchain systems, and therefore, best practices and security standards should be followed when writing and reviewing contract code to avoid common security vulnerabilities and attack vectors.
Secondly, authentication and identity verification are crucial. In blockchain systems, ensuring that only authorized users or contracts can perform key operations is critical to preventing unauthorized access and asset loss. Adopting robust identity verification mechanisms, multi-signatures, and permission management measures can effectively restrict access and ensure that only authorized entities can perform sensitive operations.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin
