Orbit Chain, a multi-asset blockchain focused on cross-chain transfers, recently fell victim to a sophisticated attack. In particular, as of December 31, 2023, a series of unauthorized transactions resulted in significant financial losses amounting to approximately $81.6 million.
It looks like there was an exploit. executed By compromising the owner’s private key, it allows the attacker to create fake signatures for withdrawal transactions. This security breach resulted in the illegal transfer of various cryptocurrencies, including Ethereum (ETH), Tether (USDT), USD Coin (USDC), Wrapped Bitcoin (WBTC), and the algorithmic stablecoin DAI, to new wallets.
Detailed transaction history
Ethereum: After an initial small withdrawal of 0.004 ETH, approximately 9500 ETH was withdrawn from the vault.
Tether: The attacker initially withdrew 9.71 USDT and later withdrew approximately $30 million worth of USDT.
USD Coin: Starting with a small amount of 3.92 USDC, the attackers ended up stealing around 10 million USDC.
Wrapped Bitcoin: The initial outflow was 0.012 WBTC, followed by a significant withdrawal of approximately 230.879 WBTC.
technical analysis
The core of the exploit involves misusing valid signatures for unauthorized transactions. Orbit Chain’s smart contract verification mechanism lacked the ability to directly link signatures to specific transaction details. This oversight allowed an attacker with access to one or more of the validator’s private keys to pass validation and execute fraudulent transactions.
After the attack, the Orbit Chain team communicated with the attackers and indicated their willingness to negotiate. To prevent such incidents in the future, it is recommended that blockchain protocols strengthen verification processes, ensure secure private key management, and implement safeguards against unauthorized transactions. For better private key management, Hardware Security Modules (HSMs) are proposed to reduce the risk of similar compromises.
Image source: Shutterstock