Cross-chain Orbit Bridge allegedly experiences a $82 million exploit

The Orbit Chain, a multi-asset blockchain focusing on cross-chain transfers, recently fell victim to a sophisticated exploit. Notably, on December 31, 2023, a series of unauthorized transactions led to a significant financial loss, amounting to approximately $81.6 million.

It appears the exploit was executed by compromising the private keys of the owner, allowing the attacker to create fake signatures for withdrawal transactions. This security breach led to the illicit transfer of various cryptocurrencies, including Ethereum (ETH), Tether (USDT), USD Coin (USDC), Wrapped Bitcoin (WBTC), and the algorithmic stablecoin DAI, into fresh wallets.

Transaction Details

Ethereum: An initial minor withdrawal of 0.004 ETH was followed by the vault being drained of approximately 9500 ETH.

Tether: The attacker initially withdrew 9.71 USDT and later approximately $30 million worth of USDT.

USD Coin: Starting with a small amount of 3.92 USDC, the attacker eventually drained about $10 million USDC.

Wrapped Bitcoin: The initial drain was 0.012 WBTC, followed by a substantial withdrawal of approximately 230.879 WBTC.

Technical Analysis

The core of the exploit involved the misuse of valid signatures for unauthorized transactions. The Orbit Chain's smart contract validation mechanism lacked the ability to associate signatures directly with specific transaction details. This oversight allowed the attacker, who had access to at least one private key of a validator, to pass the validation checks and execute the fraudulent transactions.

Post-exploit, the Orbit Chain team communicated with the attacker, indicating a willingness to negotiate. To prevent such incidents in the future, it is recommended that blockchain protocols enhance their validation processes, ensure secure private key management, and implement fail-safes against unauthorized transactions. Hardware Security Modules (HSMs) are suggested for better private key management, reducing the risk of similar compromises.

Image source: Shutterstock