This is not the final report but the follow-up report on the incident that occurred on January 9th. We will continuously provide updates on significant findings for transparency.
The incident was not primarily caused by technical vulnerabilities in the smart contracts.
Date: January 8, 2025
Incident: Exploitation of Multi-Sig Misconfiguration, resulting in the theft of $830,000 worth of assets.
On January 8, 2025, all active vaults on Orange Finance were exploited, resulting in the theft of approximately $830,000 worth of assets. The attacker gained ownership of each vault, modified their implementations, and withdrew both the deposited assets and excessively approved funds. About 94% (roughly $780,000) of the total loss came from deposited assets, while the remaining 6% (around $47,000) resulted from excessive approvals.
Temporary Pause on Stryke: Nearly 50% of the Total Value Locked (TVL) remains secured on Stryke, where funds have been temporarily paused to ensure protection.
Disabled Deposits and Withdrawals via Orange UI: To prevent further exploits, the Orange team has disabled all deposit and withdrawal functionalities through the Orange UI.
Collaboration with Seal 911: The Orange team has contacted Seal 911 and is working with them to investigate the incident and identify the attacker.
Fund Recovery Efforts: The Orange team has attempted to negotiate the return of funds by reaching out to the exploiter via Arbiscan.
“This message concerns the Orange Finance exploit. We have an offer related to this matter. Please contact us at "orangefinance0108@gmail.com" to discuss it. If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack. We genuinely hope you choose to do the right thing for everyone by accepting the offer, allowing us to move past this incident together. We look forward to your reply.”
The following contracts experienced losses as outlined below:
Uniswap WETH-USDC: $135,709.63
Uniswap USDC-ARB: $100,278.28
Uniswap USDC-WBTC: $83,546.96
Uniswap BOOP-WETH: $20,109.71
Pancake WETH-USDC: $259,376.45
Pancake USDC-ARB: $65,917.20
Pancake USDC-WBTC: $146,541.50
Sushi WETH-USDC: $15,519.62
Sushi USDC-WBTC: $4,414.83
OrangeDistributor: $12,142.71614
Total losses: $843,556.90
These total losses can be broken down as follows:
Deposit losses: $783,966.93
Losses due to approvals: $47,447.26
Unclaimed SYK reward losses: $12,142.71614
Based on our investigation so far, the attacker followed these steps
Transfer all ERC20 tokens from the Safe wallet to the attacker’s address
- Transaction (ARB): 0x093673927fc38783d37717b4bd14693c29035fceff6a0c7747db21e88c4ea28f View on Arbiscan
- The same process was repeated for other tokens as well
Withdraw unclaimed SYK from the OrangeDistributor contract
- Transaction: 0x855625c6775b0acd5048b0c94466f76c3c361e2269445e66ae7ae352f04f538fView on Arbiscan
Disable all owners other than the Safe in each vault
- Uniswap WETH-USDC: 0x14535a9c8e7d5fa2c94de52067a3cf93369273517532e0a06871ddceb3e67dd7View on Arbiscan
- Other vaults were disabled similarly
Replace the vault implementations with an attacker-controlled version, and burn all unused Stryke positions
- Uniswap WETH-USDC position burn (batch 1): 0xad0d094c8ea32110ee3bc00d9ba040a79f5ba411296cef5e9b4d25a2c2e2a888View On Arbiscan
- Position burn (batch 2): 0x1bab3323ed9d1bdea9f57809e47b93b0fc0cd154e003e96812c333dedd74c500View On Arbiscan
- Repeated until all positions were burned
- Other vaults were similarly attacked
Transfer token0 and token1 from each vault to the attacker’s address
- Uniswap WETH-USDC vault: 0xecd160e3027b7bdd23423358f68b25eaaee08a9156f745390e14c7b7e9363195View On Arbiscan
- Assets from the other vaults were transferred similarly
Illicitly withdraw deposit assets overly approved by users
- Uniswap WETH-USDC vault: 0xe31cc5011c7c4ee0720674a38147f9d4765f09e138c4f1d15c45079e2b5507b3View On Arbiscan
Swap all stolen ERC20 tokens for ETH
- USDC → ETH: 0x38e5199e52eb602b48c7b63e818939908590d341e0b348c208decab146d0e556View on Arbiscan
- Other tokens were also swapped similarly
This incident was not primarily caused by technical vulnerabilities in the smart contracts, but rather by the following operational issues. We’re still investigating how private key leakage occurred, and we will provide updates on significant findings as they arise.
Misconfiguration of the Safe wallet
- Multi-sig was configured to allow execution with a single signature
- Critical operations (such as ownership changes) that should have required multiple approvals were executable by a single individual
Inadequate private key management
- Insufficient internal processes for managing private keys
- Inadequate oversight and management of members with privileged access.
- No clear policies for backing up or storing private keys
The investigation into how the private key was leaked is ongoing. No suspicious applications have been found on the relevant team member’s device, and further investigation—potentially involving leaks from development-related services (version control systems, CI/CD pipelines, cloud services, etc.)—is being conducted alongside security experts.
Lack of internal controls
- No approval flow was established for critical operations.
- No monitoring or auditing framework was established for privileged actions.
- No incident response procedures were established.
These issues allowed the attacker to gain control of the Safe wallet, followed by a series of actions (ownership changes, unauthorized withdrawals) that led to the loss of user funds.
We are still conducting a detailed investigation into how private key leakage occurred, and each user’s losses.
Regarding each user’s actual loss (including the breakdown of deposit and approval-related losses), we plan to publish a Google Spreadsheet containing the following information:
Wallet address
Affected vault(s)
Deposit loss in USD
Approval-related loss in USD
Total loss in USD
Once the investigation is complete, the spreadsheet’s URL will be announced on Orange Finance’s official Twitter (@0xOrangeFinance) and Discord. To protect privacy, no personally identifiable information will be included other than wallet addresses.
We will also provide further information on specific recovery measures, including any form of compensation after we publish the list.