Orbit Chain project suffers a large-scale attack, with losses reaching up to 80 million USD.

On January 1, 2024, a security risk monitoring platform detected that the Orbit_Chain project had suffered a major attack, resulting in losses of at least approximately $80 million. Analysis revealed that the attackers had initiated small-scale attacks a day earlier and used stolen ETH as the source of transaction fees for the subsequent large-scale attack.

Orbit Chain is a cross-chain bridge platform that supports multi-chain asset interoperability. Currently, the project team has suspended the operation of the cross-chain bridge contract and is attempting to communicate with the attacker.

Attack Details Analysis

In this incident, the attacker directly called the withdraw function in the Bridge contract of Orbit Chain, thereby achieving the illegal transfer of assets.

Further analysis of the code structure of the withdraw function reveals that it employs a signature verification mechanism to ensure the security and legitimacy of withdrawal operations. In blockchain transactions, signature verification is a common and important security measure used to confirm the identity and authority of the transaction initiator.

By observing the return value of the signature verification function (_validate), we can see that it returns the number of owner signatures. This information is crucial for verifying the legitimacy of the transaction. The system compares the returned number of signatures with a preset threshold to determine whether the conditions for executing the transaction are met.

According to on-chain data, there are a total of 10 administrator addresses for this contract, and the required value is set to 7, which means that at least 70% of the administrators must sign in order to successfully withdraw assets.

Comprehensive analysis indicates that this incident is likely due to a phishing attack on the server where the storage administrator's private key is kept.

Attack Process Timeline

• December 30, 2023 15:39:35 (UTC): Attackers began a small-scale attack on the Orbit_Chain project, stealing a small amount of ETH and distributing it to other attack addresses as transaction fees for subsequent actions.

• December 31, 2023, 21:00 (UTC): Multiple attack addresses simultaneously launched large-scale attacks on assets such as DAI, WBTC, ETH, USDC, and USDT of the Orbit_Chain project.

Flow of Stolen Funds

As of the report's release, the stolen funds have been transferred to five different addresses. The specific transfer details are as follows:

• 50 million stablecoins (including 30 million USDT, 10 million DAI, and 10 million USDC)
• 231 wBTC (approximately worth 10 million USD)
• 9500 ETH (approximately worth 21.5 million USD)

Each transaction is sent to a brand new wallet address, indicating the attacker’s intention to obscure the flow of funds.

Security Insights

This cross-chain bridge security incident once again highlights the importance of security in blockchain systems. We can draw the following insights from it:

1. Code security is crucial. When developing and auditing smart contracts, it is essential to strictly follow security best practices and avoid common vulnerabilities.

2. Strengthen identity verification mechanisms. Measures such as multi-signature and strict permission management can effectively prevent unauthorized access and asset loss.

3. Regular security audits. Conduct ongoing security assessments and vulnerability scans of the system to timely identify and fix potential risks.

4. Improve the emergency response mechanism. Establish a rapid response process to swiftly take action in the event of a security incident, minimizing losses to the greatest extent possible.

5. Strengthen private key management. Use more secure methods for storing and using private keys, such as hardware wallets or multi-signature mechanisms, to reduce the risk of private key theft.