Orbit Chain project suffers a large-scale attack, with losses as high as $80 million

At the beginning of the New Year 2024, the cross-chain bridge platform Orbit Chain encountered a major security incident, with estimated losses reaching 80 million USD. According to data from the security monitoring platform, the attackers had already begun small-scale probing attacks a day earlier and used the stolen small amount of ETH to cover transaction fees for the subsequent large-scale attack.

Orbit Chain, as a cross-chain platform that allows users to transfer cryptocurrency assets between different blockchains, has undoubtedly suffered a severe blow to its operations and user confidence due to the recent attack. Currently, the project team has taken emergency measures, suspended the operation of the cross-chain bridge contract, and is attempting to communicate with the attackers.

Attack Method Analysis

The attack mainly involved directly invoking the withdraw function of the Orbit Chain bridging contract to transfer assets. In-depth analysis revealed that this function uses a signature verification mechanism to ensure the legitimacy of withdrawals. In blockchain transactions, signature verification is a commonly used security measure to confirm the identity and authority of the transaction initiator.

The design requirement of the withdraw function is that at least 70% of the administrators (i.e., 7 out of 10 administrators) must sign the withdrawal transaction for it to be executed. This multi-signature mechanism was supposed to provide a high level of security, but in this incident, it was successfully breached by the attackers.

Attack Timeline

• On December 30, 2023, at 15:39:35 (UTC), attackers began conducting small-scale exploratory attacks.
• On December 31, 2023, at 21:00 (UTC), multiple attacker addresses simultaneously launched a large-scale attack on assets such as DAI, WBTC, ETH, USDC, and USDT of the Orbit Chain project.

Flow of Stolen Funds

The attacker will disperse the stolen funds to five different addresses, specifically including:

• 30 million USDT
• 10 million DAI
• 10 million USDC
• Approximately 231 wBTC (worth about 10 million USD)
• Approximately 9,500 ETH (worth about $21.5 million)

Security Advisory

This incident once again highlights the importance of security design in blockchain projects, especially cross-chain bridges.

1. Code security is crucial. As the core of the blockchain system, contract code must strictly adhere to security standards and best practices to avoid common vulnerabilities.

2. A完善的权限管理和身份验证机制是保护资产安全的关键。Multi-signature, strict access control, and other measures can effectively reduce the risk of unauthorized operations.

3. Continuous security monitoring and rapid response mechanisms are crucial for the timely detection and handling of potential threats.

4. Regular security audits and timely fixes of identified vulnerabilities are necessary measures to maintain the long-term security of the system.

This incident has undoubtedly sounded the alarm for the entire cryptocurrency industry, reminding all parties to always prioritize security while pursuing innovation.