Orange Finance Smart Contract Private Key Compromised: Difference between revisions
No edit summary |
(COMPLETE 30 minutes. Changed template. Sorting through/renaming sources. Spreading throughout the timeline and other areas. Added descriptions for 3 of the arbitrum transactions to the matching sources and spread those sources throughout the timeline.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}{{Unattributed Sources}} | ||
{{Unattributed Sources}} | |||
[[File:Orangefinance.jpg|thumb|Orange Finance Logo/Homepage]]Orange Finance is an automated liquidity management protocol based on the Arbitrum blockchain, aiming to make liquidity providing derivatives more user friendly and accessible. On January 7th, 2025, the private key managing the protocol was breached, allowing an attacker to drain most of the stored liquidity and funds present in the vault. The team published an update the next day, in which they went over key aspects of the attack. The team continues to investigate and is working toward the recovery of user funds.<ref name="rektnews-17104" /><ref name="slowmisthackedarchive-17105" /><ref name="mirror-17106" /><ref name="arbiscan-17107" /><ref name="arbiscan-17108" /><ref name="arbiscan-17109" /><ref name="arbiscan-17110 | [[File:Orangefinance.jpg|thumb|Orange Finance Logo/Homepage]]Orange Finance is an automated liquidity management protocol based on the Arbitrum blockchain, aiming to make liquidity providing derivatives more user friendly and accessible. On January 7th, 2025, the private key managing the protocol was breached, allowing an attacker to drain most of the stored liquidity and funds present in the vault. The team published an update the next day, in which they went over key aspects of the attack. The team continues to investigate and is working toward the recovery of user funds.<ref name="rektnews-17104" /><ref name="slowmisthackedarchive-17105" /><ref name="mirror-17106" /><ref name="arbiscan-17107" /><ref name="arbiscan-17108" /><ref name="arbiscan-17109" /><ref name="arbiscan-17110" /> | ||
== About Orange Finance == | == About Orange Finance == | ||
"Orange Finance is an automated liquidity management protocol at the forefront of LPDfi innovation in the DeFi space. Our mission is to simplify liquidity provision and enhance profitability within LPDfi protocols. We're actively developing liquidity management vaults on top of LPDfi protocols, making LPDfi more accessible and user-friendly. Orange Finance stands as a pivotal gate connecting users and LPDfi protocols, contributing to the growth and stability of DeFi liquidity." | "Orange Finance is an automated liquidity management protocol at the forefront of LPDfi innovation in the DeFi space. Our mission is to simplify liquidity provision and enhance profitability within LPDfi protocols. We're actively developing liquidity management vaults on top of LPDfi protocols, making LPDfi more accessible and user-friendly. Orange Finance stands as a pivotal gate connecting users and LPDfi protocols, contributing to the growth and stability of DeFi liquidity."<ref name="orangefinanceapp-17114" /><ref name="orangefinance-17115" /> | ||
== The Reality == | == The Reality == | ||
| Line 13: | Line 12: | ||
== What Happened == | == What Happened == | ||
The Orange Finance admin private key was compromised, allowing the adversary to withdraw significant assets from the smart contract. | |||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Orange Finance Smart Contract Private Key Compromised | |+Key Event Timeline - Orange Finance Smart Contract Private Key Compromised | ||
| Line 30: | Line 29: | ||
|January 7th, 2025 2:22:25 PM MST | |January 7th, 2025 2:22:25 PM MST | ||
|WETH-USDC Vault Burns | |WETH-USDC Vault Burns | ||
|The attacker replaces the vault implementations with an attacker-controlled version, and burns all unused Stryke positions in WETH-USDC. | |The attacker replaces the vault implementations with an attacker-controlled version, and burns all unused Stryke positions in WETH-USDC<ref name="arbiscan-17110" />. | ||
|- | |- | ||
|January 7th, 2025 2:22:28 PM MST | |January 7th, 2025 2:22:28 PM MST | ||
|Remaining Vault Burns | |Remaining Vault Burns | ||
|The attacker replaces the vault implementations with an attacker-controlled version, and burns all remaining unused Stryke positions. | |The attacker replaces the vault implementations with an attacker-controlled version, and burns all remaining unused Stryke positions<ref name="arbiscan-17111" />. | ||
|- | |- | ||
|January 7th, 2025 2:34:34 PM MST | |January 7th, 2025 2:34:34 PM MST | ||
|Swapping To Ethereum | |Swapping To Ethereum | ||
|The attacker swaps all stolen ERC20 tokens for ethereum. | |The attacker swaps all stolen ERC20 tokens for ethereum<ref name="arbiscan-17112" />. | ||
|- | |- | ||
|January 7th, 2025 2:36:58 PM MST | |January 7th, 2025 2:36:58 PM MST | ||
| Line 46: | Line 45: | ||
|January 7th, 2025 10:28:00 PM MST | |January 7th, 2025 10:28:00 PM MST | ||
|Initial Twitter Post | |Initial Twitter Post | ||
|The Orange Finance team posts on Twitter revealing that a hacker had gained control of the admin address, upgraded the contracts, and transferred funds to their wallet. The team is still investigating the incident and is unsure of the specifics at this time. Several vaults, including Stryke vaults and a closed Stable vault, have been mentioned as potentially compromised. Specific wallet addresses for these vaults are listed in the announcement. All users should revoke any contract approvals related to Orange Finance to prevent further issues. | |The Orange Finance team posts on Twitter revealing that a hacker had gained control of the admin address, upgraded the contracts, and transferred funds to their wallet<ref name="0xorangefinancetwitter-17113" />. The team is still investigating the incident and is unsure of the specifics at this time. Several vaults, including Stryke vaults and a closed Stable vault, have been mentioned as potentially compromised. Specific wallet addresses for these vaults are listed in the announcement. All users should revoke any contract approvals related to Orange Finance to prevent further issues<ref name="0xorangefinancetwitter-17113" />. | ||
|- | |- | ||
|January 9th, 2025 4:20:47 AM MST | |January 9th, 2025 4:20:47 AM MST | ||
| Line 58: | Line 57: | ||
The attacker performed multiple steps to exploit the system, including transferring ERC20 tokens, withdrawing unclaimed rewards, modifying vault ownerships, and transferring assets to their address. | The attacker performed multiple steps to exploit the system, including transferring ERC20 tokens, withdrawing unclaimed rewards, modifying vault ownerships, and transferring assets to their address. | ||
Contract Upgrade and WETH/USD Stryke Positions Burned<ref name="arbiscan-17110" />.Replacement Of Stryke Vault implementations<ref name="arbiscan-17111" />. | |||
Swap ERC20 to ethereum<ref name="arbiscan-17112" />. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 85: | Line 86: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
<ref name="0xorangefinancetwitter-17113" /> | |||
Immediate Response included a temporary pause on the Stryke vault to secure remaining assets, deposits and withdrawals were disabled via the Orange UI, collaboration with Seal 911 to investigate and identify the attacker, and fund recovery efforts were initiated by reaching out to the attacker via Arbiscan with an offer to resolve the issue as a white-hat hack. | Immediate Response included a temporary pause on the Stryke vault to secure remaining assets, deposits and withdrawals were disabled via the Orange UI, collaboration with Seal 911 to investigate and identify the attacker, and fund recovery efforts were initiated by reaching out to the attacker via Arbiscan with an offer to resolve the issue as a white-hat hack. | ||
| Line 117: | Line 120: | ||
== References == | == References == | ||
<references><ref name="rektnews-17104">[https://rekt.news/orange-finance-rekt/ Rekt - Orange Finance - Rekt] (Accessed Jan 10, 2025)</ref> | <references> | ||
<ref name="rektnews-17104">[https://rekt.news/orange-finance-rekt/ Rekt - Orange Finance - Rekt] (Accessed Jan 10, 2025)</ref> | |||
<ref name="slowmisthackedarchive-17105">[https://web.archive.org/web/20250110195254/https://hacked.slowmist.io/ SlowMist Hacked - SlowMist Zone] (Accessed Jan 10, 2025)</ref> | <ref name="slowmisthackedarchive-17105">[https://web.archive.org/web/20250110195254/https://hacked.slowmist.io/ SlowMist Hacked - SlowMist Zone] (Accessed Jan 10, 2025)</ref> | ||
<ref name="mirror-17106">[https://mirror.xyz/0x6FA2aF9a4d6fFe654361F713780963C10412e7c3/gN17YMrLhKKg9YT9a391U74pWr9IhqBUDWUqDyDamjE Orange Finance Jan 9th Follow-up Investigation Report on the Inc… — Orange Finance] (Accessed Jan 10, 2025)</ref> | <ref name="mirror-17106">[https://mirror.xyz/0x6FA2aF9a4d6fFe654361F713780963C10412e7c3/gN17YMrLhKKg9YT9a391U74pWr9IhqBUDWUqDyDamjE Orange Finance Jan 9th Follow-up Investigation Report on the Inc… — Orange Finance] (Accessed Jan 10, 2025)</ref> | ||
<ref name="arbiscan-17107">[https://arbiscan.io/tx/0x093673927fc38783d37717b4bd14693c29035fceff6a0c7747db21e88c4ea28f Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | <ref name="arbiscan-17107">[https://arbiscan.io/tx/0x093673927fc38783d37717b4bd14693c29035fceff6a0c7747db21e88c4ea28f Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | ||
<ref name="arbiscan-17108">[https://arbiscan.io/tx/0x855625c6775b0acd5048b0c94466f76c3c361e2269445e66ae7ae352f04f538f Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | <ref name="arbiscan-17108">[https://arbiscan.io/tx/0x855625c6775b0acd5048b0c94466f76c3c361e2269445e66ae7ae352f04f538f Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | ||
<ref name="arbiscan-17109">[https://arbiscan.io/tx/0x14535a9c8e7d5fa2c94de52067a3cf93369273517532e0a06871ddceb3e67dd7 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | <ref name="arbiscan-17109">[https://arbiscan.io/tx/0x14535a9c8e7d5fa2c94de52067a3cf93369273517532e0a06871ddceb3e67dd7 Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One] (Accessed Jan 10, 2025)</ref> | ||
<ref name="arbiscan-17110">[https://arbiscan.io/tx/0xad0d094c8ea32110ee3bc00d9ba040a79f5ba411296cef5e9b4d25a2c2e2a888 Contract Upgrade and WETH/USD Stryke Positions Burned - Arbitrum One] (Accessed Jan 10, 2025)</ref> | |||
<ref name="arbiscan-17110">[https://arbiscan.io/tx/0xad0d094c8ea32110ee3bc00d9ba040a79f5ba411296cef5e9b4d25a2c2e2a888 | <ref name="arbiscan-17111">[https://arbiscan.io/tx/0x1bab3323ed9d1bdea9f57809e47b93b0fc0cd154e003e96812c333dedd74c500 Attacker Replaces Stryke Vault Implementations - Arbitrum One] (Accessed Jan 10, 2025)</ref> | ||
<ref name="arbiscan-17112">[https://arbiscan.io/tx/0x38e5199e52eb602b48c7b63e818939908590d341e0b348c208decab146d0e556 Transaction Swapping ERC20 To Ethereum - Arbitrum One] (Accessed Jan 10, 2025)</ref> | |||
<ref name="arbiscan-17111">[https://arbiscan.io/tx/0x1bab3323ed9d1bdea9f57809e47b93b0fc0cd154e003e96812c333dedd74c500 | <ref name="0xorangefinancetwitter-17113">[https://twitter.com/0xOrangeFinance/status/1876863611458801890 Orange Finance - "A hacker has taken over the admin address, upgraded the contracts, and transferred funds to their wallet. The team is not sure what happened and is currently investigating. The contract is no longer Orange. DO NOT interact with it (e.g., deposit or withdraw)." - Twitter] (Accessed Jan 10, 2025)</ref> | ||
<ref name="orangefinanceapp-17114">https://app.orangefinance.io/arbitrum (Accessed Jan 10, 2025)</ref> | |||
<ref name="arbiscan-17112">[https://arbiscan.io/tx/0x38e5199e52eb602b48c7b63e818939908590d341e0b348c208decab146d0e556 | <ref name="orangefinance-17115">[https://orange-finance.gitbook.io/orange-finance Orange Finance Homepage] (Accessed Jan 10, 2025)</ref> | ||
</references> | |||
<ref name="0xorangefinancetwitter-17113">[https://twitter.com/0xOrangeFinance/status/1876863611458801890 | |||
<ref name="orangefinanceapp-17114"> | |||
<ref name="orangefinance-17115">[https://orange-finance.gitbook.io/orange-finance | |||
Latest revision as of 16:36, 15 January 2025
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Orange Finance is an automated liquidity management protocol based on the Arbitrum blockchain, aiming to make liquidity providing derivatives more user friendly and accessible. On January 7th, 2025, the private key managing the protocol was breached, allowing an attacker to drain most of the stored liquidity and funds present in the vault. The team published an update the next day, in which they went over key aspects of the attack. The team continues to investigate and is working toward the recovery of user funds.[1][2][3][4][5][6][7]
About Orange Finance
"Orange Finance is an automated liquidity management protocol at the forefront of LPDfi innovation in the DeFi space. Our mission is to simplify liquidity provision and enhance profitability within LPDfi protocols. We're actively developing liquidity management vaults on top of LPDfi protocols, making LPDfi more accessible and user-friendly. Orange Finance stands as a pivotal gate connecting users and LPDfi protocols, contributing to the growth and stability of DeFi liquidity."[8][9]
The Reality
The multi-sig wallet was set to allow execution with a single signature, bypassing the intended multiple approvals for critical operations.
The protocol had inadequate internal processes for managing private keys, insufficient oversight, and no clear policies for backup or storage. There were no approval flows, auditing frameworks, or incident response procedures to detect and prevent an attack based on knowledge of the private key.
What Happened
The Orange Finance admin private key was compromised, allowing the adversary to withdraw significant assets from the smart contract.
| Date | Event | Description |
|---|---|---|
| January 7th, 2025 2:20:18 PM MST | Withdraw Unclaimed SYK | The attacker withdraws all unclaimed SYK from the OrangeDistributor contract. |
| January 7th, 2025 2:20:32 PM MST | Disable Vault Ownership | The attacker disables all owners other than the Safe in each vault. |
| January 7th, 2025 2:22:25 PM MST | WETH-USDC Vault Burns | The attacker replaces the vault implementations with an attacker-controlled version, and burns all unused Stryke positions in WETH-USDC[7]. |
| January 7th, 2025 2:22:28 PM MST | Remaining Vault Burns | The attacker replaces the vault implementations with an attacker-controlled version, and burns all remaining unused Stryke positions[10]. |
| January 7th, 2025 2:34:34 PM MST | Swapping To Ethereum | The attacker swaps all stolen ERC20 tokens for ethereum[11]. |
| January 7th, 2025 2:36:58 PM MST | Safe Wallet Emptied | The attacker transfers all ERC20 tokens from the safe wallet. (TBD - This transaction is listed first in the follow up?) |
| January 7th, 2025 10:28:00 PM MST | Initial Twitter Post | The Orange Finance team posts on Twitter revealing that a hacker had gained control of the admin address, upgraded the contracts, and transferred funds to their wallet[12]. The team is still investigating the incident and is unsure of the specifics at this time. Several vaults, including Stryke vaults and a closed Stable vault, have been mentioned as potentially compromised. Specific wallet addresses for these vaults are listed in the announcement. All users should revoke any contract approvals related to Orange Finance to prevent further issues[12]. |
| January 9th, 2025 4:20:47 AM MST | Follow Up Report | Orange Finance publishes their follow-up report. The follow-up investigation report from Orange Finance addresses the incident that occurred on January 8th, involving the theft of approximately $830,000 worth of assets. This theft was not caused by technical vulnerabilities in the smart contracts but rather by a misconfiguration of the multi-sig wallet and poor private key management. |
Technical Details
The attacker exploited the misconfigured multi-sig wallet, which allowed critical operations (such as ownership changes) to be executed by a single individual. This enabled the attacker to gain control of vaults, withdraw assets, and approve excessive withdrawals.
The attacker performed multiple steps to exploit the system, including transferring ERC20 tokens, withdrawing unclaimed rewards, modifying vault ownerships, and transferring assets to their address.
Contract Upgrade and WETH/USD Stryke Positions Burned[7].Replacement Of Stryke Vault implementations[10].
Swap ERC20 to ethereum[11].
Total Amount Lost
About 94% ($780,000) of the loss came from deposited assets, and 6% ($47,000) resulted from excessive approvals.
"The following contracts experienced losses as outlined below: Uniswap WETH-USDC: $135,709.63 Uniswap USDC-ARB: $100,278.28 Uniswap USDC-WBTC: $83,546.96 Uniswap BOOP-WETH: $20,109.71 Pancake WETH-USDC: $259,376.45 Pancake USDC-ARB: $65,917.20 Pancake USDC-WBTC: $146,541.50 Sushi WETH-USDC: $15,519.62 Sushi USDC-WBTC: $4,414.83 OrangeDistributor: $12,142.71614
Total losses: $843,556.90"
"These total losses can be broken down as follows: Deposit losses: $783,966.93 Losses due to approvals: $47,447.26 Unclaimed SYK reward losses: $12,142.71614"
The total amount lost has been estimated at $844,000 USD.
Immediate Reactions
Immediate Response included a temporary pause on the Stryke vault to secure remaining assets, deposits and withdrawals were disabled via the Orange UI, collaboration with Seal 911 to investigate and identify the attacker, and fund recovery efforts were initiated by reaching out to the attacker via Arbiscan with an offer to resolve the issue as a white-hat hack.
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
A Google Spreadsheet will be published containing user-specific loss details (wallet addresses and loss breakdowns).
The total amount recovered is unknown.
Ongoing Developments
Further investigation into the private key leakage and how the attacker gained access.
Ongoing efforts to establish recovery measures, including potential compensation, once the investigation is completed.
Orange Finance continues to investigate and will provide updates on significant findings as they emerge.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Orange Finance - Rekt (Accessed Jan 10, 2025)
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jan 10, 2025)
- ↑ Orange Finance Jan 9th Follow-up Investigation Report on the Inc… — Orange Finance (Accessed Jan 10, 2025)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
- ↑ 7.0 7.1 7.2 Contract Upgrade and WETH/USD Stryke Positions Burned - Arbitrum One (Accessed Jan 10, 2025)
- ↑ https://app.orangefinance.io/arbitrum (Accessed Jan 10, 2025)
- ↑ Orange Finance Homepage (Accessed Jan 10, 2025)
- ↑ 10.0 10.1 Attacker Replaces Stryke Vault Implementations - Arbitrum One (Accessed Jan 10, 2025)
- ↑ 11.0 11.1 Transaction Swapping ERC20 To Ethereum - Arbitrum One (Accessed Jan 10, 2025)
- ↑ 12.0 12.1 12.2 Orange Finance - "A hacker has taken over the admin address, upgraded the contracts, and transferred funds to their wallet. The team is not sure what happened and is currently investigating. The contract is no longer Orange. DO NOT interact with it (e.g., deposit or withdraw)." - Twitter (Accessed Jan 10, 2025)