Orange Finance Smart Contract Private Key Compromised

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:36, 15 January 2025 by Azoundria (talk | contribs) (COMPLETE 30 minutes. Changed template. Sorting through/renaming sources. Spreading throughout the timeline and other areas. Added descriptions for 3 of the arbitrum transactions to the matching sources and spread those sources throughout the timeline.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Orange Finance Logo/Homepage

Orange Finance is an automated liquidity management protocol based on the Arbitrum blockchain, aiming to make liquidity providing derivatives more user friendly and accessible. On January 7th, 2025, the private key managing the protocol was breached, allowing an attacker to drain most of the stored liquidity and funds present in the vault. The team published an update the next day, in which they went over key aspects of the attack. The team continues to investigate and is working toward the recovery of user funds.[1][2][3][4][5][6][7]

About Orange Finance

"Orange Finance is an automated liquidity management protocol at the forefront of LPDfi innovation in the DeFi space. Our mission is to simplify liquidity provision and enhance profitability within LPDfi protocols. We're actively developing liquidity management vaults on top of LPDfi protocols, making LPDfi more accessible and user-friendly. Orange Finance stands as a pivotal gate connecting users and LPDfi protocols, contributing to the growth and stability of DeFi liquidity."[8][9]

The Reality

The multi-sig wallet was set to allow execution with a single signature, bypassing the intended multiple approvals for critical operations.

The protocol had inadequate internal processes for managing private keys, insufficient oversight, and no clear policies for backup or storage. There were no approval flows, auditing frameworks, or incident response procedures to detect and prevent an attack based on knowledge of the private key.

What Happened

The Orange Finance admin private key was compromised, allowing the adversary to withdraw significant assets from the smart contract.

Key Event Timeline - Orange Finance Smart Contract Private Key Compromised
Date Event Description
January 7th, 2025 2:20:18 PM MST Withdraw Unclaimed SYK The attacker withdraws all unclaimed SYK from the OrangeDistributor contract.
January 7th, 2025 2:20:32 PM MST Disable Vault Ownership The attacker disables all owners other than the Safe in each vault.
January 7th, 2025 2:22:25 PM MST WETH-USDC Vault Burns The attacker replaces the vault implementations with an attacker-controlled version, and burns all unused Stryke positions in WETH-USDC[7].
January 7th, 2025 2:22:28 PM MST Remaining Vault Burns The attacker replaces the vault implementations with an attacker-controlled version, and burns all remaining unused Stryke positions[10].
January 7th, 2025 2:34:34 PM MST Swapping To Ethereum The attacker swaps all stolen ERC20 tokens for ethereum[11].
January 7th, 2025 2:36:58 PM MST Safe Wallet Emptied The attacker transfers all ERC20 tokens from the safe wallet. (TBD - This transaction is listed first in the follow up?)
January 7th, 2025 10:28:00 PM MST Initial Twitter Post The Orange Finance team posts on Twitter revealing that a hacker had gained control of the admin address, upgraded the contracts, and transferred funds to their wallet[12]. The team is still investigating the incident and is unsure of the specifics at this time. Several vaults, including Stryke vaults and a closed Stable vault, have been mentioned as potentially compromised. Specific wallet addresses for these vaults are listed in the announcement. All users should revoke any contract approvals related to Orange Finance to prevent further issues[12].
January 9th, 2025 4:20:47 AM MST Follow Up Report Orange Finance publishes their follow-up report. The follow-up investigation report from Orange Finance addresses the incident that occurred on January 8th, involving the theft of approximately $830,000 worth of assets. This theft was not caused by technical vulnerabilities in the smart contracts but rather by a misconfiguration of the multi-sig wallet and poor private key management.

Technical Details

The attacker exploited the misconfigured multi-sig wallet, which allowed critical operations (such as ownership changes) to be executed by a single individual. This enabled the attacker to gain control of vaults, withdraw assets, and approve excessive withdrawals.

The attacker performed multiple steps to exploit the system, including transferring ERC20 tokens, withdrawing unclaimed rewards, modifying vault ownerships, and transferring assets to their address.

Contract Upgrade and WETH/USD Stryke Positions Burned[7].Replacement Of Stryke Vault implementations[10].

Swap ERC20 to ethereum[11].

Total Amount Lost

About 94% ($780,000) of the loss came from deposited assets, and 6% ($47,000) resulted from excessive approvals.

"The following contracts experienced losses as outlined below: Uniswap WETH-USDC: $135,709.63 Uniswap USDC-ARB: $100,278.28 Uniswap USDC-WBTC: $83,546.96 Uniswap BOOP-WETH: $20,109.71 Pancake WETH-USDC: $259,376.45 Pancake USDC-ARB: $65,917.20 Pancake USDC-WBTC: $146,541.50 Sushi WETH-USDC: $15,519.62 Sushi USDC-WBTC: $4,414.83 OrangeDistributor: $12,142.71614

Total losses: $843,556.90"

"These total losses can be broken down as follows: Deposit losses: $783,966.93 Losses due to approvals: $47,447.26 Unclaimed SYK reward losses: $12,142.71614"

The total amount lost has been estimated at $844,000 USD.

Immediate Reactions

[12]

Immediate Response included a temporary pause on the Stryke vault to secure remaining assets, deposits and withdrawals were disabled via the Orange UI, collaboration with Seal 911 to investigate and identify the attacker, and fund recovery efforts were initiated by reaching out to the attacker via Arbiscan with an offer to resolve the issue as a white-hat hack.

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

A Google Spreadsheet will be published containing user-specific loss details (wallet addresses and loss breakdowns).

The total amount recovered is unknown.

Ongoing Developments

Further investigation into the private key leakage and how the attacker gained access.

Ongoing efforts to establish recovery measures, including potential compensation, once the investigation is completed.

Orange Finance continues to investigate and will provide updates on significant findings as they emerge.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Orange Finance - Rekt (Accessed Jan 10, 2025)
  2. SlowMist Hacked - SlowMist Zone (Accessed Jan 10, 2025)
  3. Orange Finance Jan 9th Follow-up Investigation Report on the Inc… — Orange Finance (Accessed Jan 10, 2025)
  4. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
  5. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
  6. Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Jan 10, 2025)
  7. 7.0 7.1 7.2 Contract Upgrade and WETH/USD Stryke Positions Burned - Arbitrum One (Accessed Jan 10, 2025)
  8. https://app.orangefinance.io/arbitrum (Accessed Jan 10, 2025)
  9. Orange Finance Homepage (Accessed Jan 10, 2025)
  10. 10.0 10.1 Attacker Replaces Stryke Vault Implementations - Arbitrum One (Accessed Jan 10, 2025)
  11. 11.0 11.1 Transaction Swapping ERC20 To Ethereum - Arbitrum One (Accessed Jan 10, 2025)
  12. 12.0 12.1 12.2 Orange Finance - "A hacker has taken over the admin address, upgraded the contracts, and transferred funds to their wallet. The team is not sure what happened and is currently investigating. The contract is no longer Orange. DO NOT interact with it (e.g., deposit or withdraw)." - Twitter (Accessed Jan 10, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Orange_Finance_Smart_Contract_Private_Key_Compromised&oldid=6425"