The new year commenced with a significant blow to Orbit Chain, a South Korean cross-chain bridging project, which lost over $80 million in assets due to a compromising bridge hack. It’s essential to distinguish Orbit Chain from Orbiter Finance, an Ethereum-based bridge sharing a similar name.
According to a researcher using the pseudonym officer_cia, the attacker successfully accessed seven of the ten multisig signers, leading to a staggering loss of $81.5 million. Multisig, designed to require multiple private keyholders for transaction validation, aims to prevent single-party control over a wallet’s assets.
Primarily, the stolen funds comprised stablecoins, with $30 million in USDT, $10 million in USDC, and $10 million in DAI. Additionally, approximately 231 WBTC ($10 million) and 9,500 ETH ($21.5 million) were part of the stolen assets.
Hacker’s addresses (info provided by @MistTrack_io)
0x009b60Aab8E64C8F5FE449bd96fA78B1A7fFfcC5- 9500 ETH 0x5e22cb028865d6A93080d7ab42d2Fe9A0E8dC085- 4252 ETH 0x3a886A63c768665A9830886E608d6f9Dc6B4f730- ~10M DAI 0x157a409c2bFfF38209A32e55D3eac1bFc93DD664- ~5M DAI…
— Officer’s Notes (@officer_cia) January 1, 2024
Ongoing Investigation and Preventive Measures
The hacker utilized an intermediary address to route the stolen funds through a cryptocurrency mixer, complicating the tracking process. Orbit Chain’s team swiftly reached out to cryptocurrency exchanges, urging them to freeze the stolen assets. Simultaneously, they’ve engaged with law enforcement agencies to trace the missing funds.
Orbit Chain team has developed a system for investigation support and cause analysis with the Korean National Police Agency and KISA (Korea Internet & Security Agency), enabling a more proactive and comprehensive investigation approach.
Furthermore, we are also discussing close…
— Orbit Chain (@Orbit_Chain) January 2, 2024
The project has issued warnings to dissuade users from participating in reimbursement claims circulating amidst the chaos of the hack.
Unsecured Infrastructure and Previous Incidents
This unfortunate incident involving Orbit Bridge isn’t the first security breach connected to Ozys, the South Korean blockchain development company behind the project. Metamask’s Lead Product Manager, Taylor Monahan, highlighted that KlaySwap and Belt Finance, other Ozys creations, faced similar breaches in recent years.
Belt Finance witnessed a loss of approximately $6 million in May 2021, followed by a potential $60 million at risk in August 2021. KlaySwap experienced a drain of nearly $2 million in February 2022. These incidents underscore the vulnerability of Ozys’ infrastructure, calling for vital lessons to be learned from past mistakes.
The lack of learning is whats most embarrassing about this industry.
At this point it’s honestly fucking disgusting.
If you dont want to be bothered to secure your shit, then don’t build shit. Thanks.
— Tay 💖 (@tayvano_) January 1, 2024
Also Read: Crypto Scams and Hacks Drain $2 Billion in 2023
Multisig Vulnerabilities and Previous Exploits
Private key compromise has been a recurrent theme in several major exploits within the crypto space. Notably, the Ronin Bridge hack in March 2022 resulted in the draining of $625 million due to a similar issue.
According to Quantstamp, a leading Web3 security firm, “compromised keys were the biggest threat of 2023.” Certik’s recent analysis revealed that private key compromises accounted for a significant portion of security incidents, totalling $880 million across 47 cases in 2023.
Learning from these incidents becomes crucial for projects to enhance their security measures and safeguard user trust. Taylor Monahan stressed the importance of sharing lessons learned to prevent similar breaches in the future.
