Orbit Chain Project Suffers $80 Million Loss, Analysis of the Biggest Security Incident at the Start of the New Year

On January 1, 2024, a cross-chain bridge platform, Orbit Chain, suffered a significant security attack, resulting in losses of approximately $80 million. Security monitoring platform data shows that the attackers began small-scale probing attacks a day earlier and used a small amount of stolen ETH to cover transaction fees for the subsequent large-scale attack.

Currently, the project team has taken emergency measures to suspend the operation of the cross-chain bridge contract and is attempting to establish contact with the attacker. Security experts have conducted an in-depth analysis of the incident, and the following are the main findings:

Analysis of Attack Methods

Attackers primarily transfer assets by directly calling the withdraw function in the Bridge contract of Orbit Chain. This function uses a signature verification mechanism to ensure the legitimacy of the withdrawal operation. Specifically:

1. The withdraw function confirms the legitimacy of the transaction by verifying the signature.
2. The verification process will return the number of owner signatures.
3. If the number of signatures reaches or exceeds the preset threshold, fund withdrawal is allowed.

According to on-chain data, the contract is jointly managed by 10 administrator addresses, of which at least 7 administrators (70%) need to sign to execute withdrawal operations.

Experts speculate that this incident was likely caused by a phishing attack on the server storing the administrator's private key.

Attack Timeline

• December 30, 2023 15:39:35 ( UTC ): The attacker began a small-scale probing attack on Orbit Chain, stealing a small amount of ETH and distributing it to other attack addresses as transaction fees.
• December 31, 2023 21:00 ( UTC ): Multiple attack addresses simultaneously launched a large-scale attack on various cryptocurrencies of Orbit Chain, including DAI, WBTC, ETH, USDC, and USDT.

Capital Flow

As of the time the report was released, the stolen funds have been transferred to 5 different addresses. The specific amounts are as follows:

• 50 million stablecoins (30 million USDT, 10 million DAI, 10 million USDC)
• 231 wBTC (approximately worth 10 million USD)
• 9500 ETH (approximately worth 21.5 million USD)

Security Insights

This event once again highlights the importance of security design in blockchain systems:

1. Code Security: As the core of the blockchain system, contract code must strictly adhere to security best practices to avoid common vulnerabilities.

2. Permission Management: Strengthen identity verification mechanisms, implement multi-signature and strict access control to prevent unauthorized operations.

3. Continuous Monitoring: Establish a real-time monitoring system to promptly detect and respond to potential threats.

4. Emergency Response: Develop and完善 emergency plans to respond quickly when incidents occur, minimizing losses to the greatest extent.

This incident reminds us that while blockchain technology is rapidly developing, security issues remain one of the biggest challenges facing the industry. Project teams, developers, and users need to stay highly vigilant and work together to maintain the security of the ecosystem.