$844 000 USD

JANUARY 2025

GLOBAL

ORANGE FINANCE

DESCRIPTION OF EVENTS

"Orange Finance is an automated liquidity management protocol at the forefront of LPDfi innovation in the DeFi space. Our mission is to simplify liquidity provision and enhance profitability within LPDfi protocols. We're actively developing liquidity management vaults on top of LPDfi protocols, making LPDfi more accessible and user-friendly. Orange Finance stands as a pivotal gate connecting users and LPDfi protocols, contributing to the growth and stability of DeFi liquidity."

 

The multi-sig wallet was set to allow execution with a single signature, bypassing the intended multiple approvals for critical operations.

 

The protocol had inadequate internal processes for managing private keys, insufficient oversight, and no clear policies for backup or storage. There were no approval flows, auditing frameworks, or incident response procedures to detect and prevent an attack based on knowledge of the private key.

 

The attacker exploited the misconfigured multi-sig wallet, which allowed critical operations (such as ownership changes) to be executed by a single individual. This enabled the attacker to gain control of vaults, withdraw assets, and approve excessive withdrawals.

 

The attacker performed multiple steps to exploit the system, including transferring ERC20 tokens, withdrawing unclaimed rewards, modifying vault ownerships, and transferring assets to their address.

 

 

About 94% ($780,000) of the loss came from deposited assets, and 6% ($47,000) resulted from excessive approvals.

 

"The following contracts experienced losses as outlined below: Uniswap WETH-USDC: $135,709.63 Uniswap USDC-ARB: $100,278.28 Uniswap USDC-WBTC: $83,546.96 Uniswap BOOP-WETH: $20,109.71 Pancake WETH-USDC: $259,376.45 Pancake USDC-ARB: $65,917.20 Pancake USDC-WBTC: $146,541.50 Sushi WETH-USDC: $15,519.62 Sushi USDC-WBTC: $4,414.83 OrangeDistributor: $12,142.71614

 

Total losses: $843,556.90"

 

"These total losses can be broken down as follows: Deposit losses: $783,966.93 Losses due to approvals: $47,447.26 Unclaimed SYK reward losses: $12,142.71614"

 

Immediate Response included a temporary pause on the Stryke vault to secure remaining assets, deposits and withdrawals were disabled via the Orange UI, collaboration with Seal 911 to investigate and identify the attacker, and fund recovery efforts were initiated by reaching out to the attacker via Arbiscan with an offer to resolve the issue as a white-hat hack.

 

A Google Spreadsheet will be published containing user-specific loss details (wallet addresses and loss breakdowns).

 

Further investigation into the private key leakage and how the attacker gained access.

 

Ongoing efforts to establish recovery measures, including potential compensation, once the investigation is completed.

 

Orange Finance continues to investigate and will provide updates on significant findings as they emerge.

 

Explore This Case Further On Our Wiki

Orange Finance is an automated liquidity management protocol based on the Arbitrum blockchain, aiming to make liquidity providing derivatives more user friendly and accessible. On January 7th, 2025, the private key managing the protocol was breached, allowing an attacker to drain most of the stored liquidity and funds present in the vault. The team published an update the next day, in which they went over key aspects of the attack. The team continues to investigate and is working toward the recovery of user funds.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.