defirisk.co
rubric v1.7.0

Orion Protocol: Fake token reentrancy — depositAsset() double-credit via ATK token transfer hook

Orion Protocol lost $3M when a fake token's transfer function re-entered the exchange contract's deposit accounting, doubling the attacker's ledger balance and enabling a massive artificial withdrawal.

Occurred 2023-02-02 Loss $3M Status closed

Summary #

Orion Protocol suffered a DEX Aggregator / Liquidity Aggregator on 2023-02-02, resulting in a loss of approximately $3M.

What happened #

Orion Protocol lost $3M when a fake token's transfer function re-entered the exchange contract's deposit accounting, doubling the attacker's ledger balance and enabling a massive artificial withdrawal.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]