Orbit Bridge - REKT

It wasn’t just fireworks blowing up on New Year’s Eve.

The final hours of 2023 saw Orbit Chain’s Ethereum bridge lose $81.5M to what looks to have been a compromised multisig.

Not to be confused with Orbiter, which connects ETH L2s, Orbit Chain is a standalone network aiming to work as a hub between other established ecosystems.

The attack began just after 9PM UTC, and the alarm was raised just a few minutes later.

The official acknowledgement referenced a breach shortly before the transactions began…

An unidentified access to Orbit Bridge, a decentralized Cross-chain protocol, was confirmed on Dec-31-2023 08:52:47 PM +UTC.

…and was accompanied by warnings about opportunistic phishing attacks.

With 2023 ending on a bit of a downer, for Orbit at least, what will 2024 bring?

Credit: Tayvano, Peckshield

While the hack is initially assumed to be due to compromised keys of signer-addresses on the Orbit’s ETH Vault multisig, the team is yet to disclose the exact nature of the attack vector.

Others have suggested there could be a tx replay bug at play, similar to a ‘known issue’ identified during Theori’s audit (see page 7).

NOTE: This article will be updated to include the root cause once an official post-mortem has been published.

Follow-up note: On the 25th Jan, Ozys (Orbit's development company) published a statement implicating the firm's former CISO:

Two days after his voluntary retirement decision (November 20), the information security specialist who led Ozys’ efforts to become an ISMS-certified organization, abruptly made the firewall vulnerable and left the company on December 6, without any verbal or written communication during the handover process.

Investigations are ongoing.

Withdrawals began with 10M DAI at 21:08 UTC, followed by 231 WBTC ($9.8M), 9500 ETH ($21.5M), 10M USDC and finishing with 30M USDT at 21:25 UTC. The bridge was deactivated at 22:21 UTC.

Centralised stables and WBTC were swapped out for ETH, as shown in Peckshield’s attack flow:

Tay’s thread contains a full list of attacker addresses, where funds remain.

Attacker’s primary address: 0x9263e7873613ddc598a701709875634819176aff

The methodical tx pattern suggests this may be another Lazarus job, and the team has links to previous hacked projects Belt and Klayswap.

The attacker’s address was funded via Tornado Cash through an intermediary address.

Over half of Orbit Bridge’s TVL was drained in the attack, adding over $80M to an already impressive total for the presumed culprits.

Lazarus was responsible for at least $250M of losses in 2023 alone, with attacks on Atomic Wallet, AlphaPo, Stake and CoinEx all attributed to the group.

As markets pick up and institutional interest in crypto continues to grow, we will have to take security more seriously if we want to be taken seriously ourselves:

Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter. 🙄

embarrassing af.

Gradually emerging from a brutal bear market, will we simply ape into whatever the next narrative is, content to take on more and more risk as the potential rewards stack up?

Or can we do better this year?

REKT作为匿名作者的公共平台，我们对REKT上托管的观点或内容不承担任何责任。

捐赠 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

声明:

REKT对我们网站上发布的或与我们的服务相关的任何内容不承担任何责任，无论是由我们网站的匿名作者，还是由 REKT发布或引起的。虽然我们为匿名作者的行为和发文设置规则，我们不控制也不对匿名作者在我们的网站或服务上发布、传输或分享的内容负责，也不对您在我们的网站或服务上可能遇到的任何冒犯性、不适当、淫秽、非法或其他令人反感的内容负责。REKT不对我们网站或服务的任何用户的线上或线下行为负责。