Orbit Chain cross-chain bridges遭Hacker攻击，损失约8000万美元

On January 1, 2024, a hacker attack targeting the Orbit Chain cross-chain bridge drew widespread attention from the cryptocurrency community. According to data from security monitoring platforms, the losses from this attack reached approximately $80 million. Security experts analyzed that the attackers had initiated small-scale probing attacks a day earlier and used the initially stolen ETH as transaction fees for the subsequent large-scale attack.

Orbit Chain is a cross-chain bridge platform that allows users to transfer crypto assets between different blockchains. After discovering a security vulnerability, the project team took immediate action to suspend the operation of the cross-chain bridge contract and attempted to contact the hacker.

In-depth analysis indicates that the core of this attack lies in the fact that the Hacker successfully invoked the withdraw function in the Orbit Chain cross-chain bridges contract, thereby illegally transferring a large amount of assets. This function uses a signature verification mechanism to ensure the legality of withdrawal operations. According to the contract design, at least 70% of the administrators (a total of 10 addresses) need to sign to authorize asset withdrawals.

This incident reveals a potentially serious security vulnerability, with experts speculating that the attackers may have obtained a sufficient number of administrator private keys in some way, or successfully deceived the servers that store these private keys.

The attack was conducted in two phases: first, on December 30, 2023, the attacker carried out a small-scale probing attack to acquire a small amount of ETH for subsequent operations. Then, on the evening of December 31, the hacker launched a large-scale attack targeting various crypto assets including DAI, WBTC, ETH, USDC, and USDT.

According to the analysis of fund flows, the Hacker has dispersed the stolen assets to five different wallet addresses. Specifically, this includes: $50 million in stablecoins ($30 million USDT, $10 million DAI, and $10 million USDC), 231 wBTC (worth approximately $10 million), and 9,500 ETH (worth approximately $21.5 million).

This incident once again highlights the importance of blockchain security, especially in complex systems such as cross-chain bridges. It reminds us that when designing and implementing blockchain projects, security must be prioritized. Key measures include:

1. Strengthen the security of contract code by strictly following best practices and security standards.

2. Improve the identity verification and authorization mechanism, such as using multi-signature and strict permission management.

3. Regularly conduct security audits and vulnerability tests to promptly identify and fix potential risks.

4. Establish an emergency response mechanism to quickly respond to potential security incidents.

As the cryptocurrency industry continues to evolve, similar security incidents may persist. Therefore, project teams, developers, and users need to remain highly vigilant to collectively safeguard the security of the blockchain ecosystem.