Verify a decision

{"actor":"system:backfill","investigation_id":"85b48dbf-2c35-4ccd-ad5c-afa98e4b7570","kind":"publish","page_slug":"orion-protocol","published_at":"2026-06-01T17:48:33.983Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Orion Protocol","sections":[{"content":"On February 2, 2023, an attacker exploited a reentrancy vulnerability in Orion Protocol's ExchangeWithOrionPool (ExchangeWithAtomic) contract, draining approximately $2,836,206 from the Ethereum deployment and $191,030 from the Binance Smart Chain deployment, for a combined loss of roughly $3 million. The attacker deployed a custom malicious token — referred to in post-mortems as 'ATK' — and obtained flash-loaned stablecoins from Uniswap V2. By routing a swap through the ATK token, the attacker triggered a reentrancy hook on the depositAsset function during the token transfer callback, causing the contract to count the deposited tokens twice before the swap settled. This double-counting of balances allowed the attacker to withdraw far more than was legitimately owed. The exploit cost the attacker only approximately 0.4 BNB and 0.4 ETH in gas fees while yielding roughly 1,757 ETH in stolen assets. Security firm PeckShield first identified the attack on-chain. The primary attacker address on Ethereum is 0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1; a secondary address is 0x837962b686fd5a407fb4e5f92e8be86a230484bd.","heading":"February 2023 Reentrancy Exploit","severity":"critical","sources":[{"credibility":1,"name":"Orion Protocol Loses $3M of Crypto in Trading Pool Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/02/orion-protocol-loses-3m-of-crypto-in-trading-pool-exploit"},{"credibility":1,"name":"Decentralized exchange Orion Protocol hacked for $3 million — The Block","type":"news_article","url":"https://www.theblock.co/post/208394/decentralized-exchange-orion-protocol-hacked-for-3-million"},{"credibility":2,"name":"Hunting Orion: The $3M Loss from a Reentrancy Attack — CertiK","type":"research","url":"https://www.certik.com/resources/blog/4se364ZqArmcLqzqsvXdUR-hunting-orion-the-usd3m-loss-from-a-reentrancy-attack"},{"credibility":2,"name":"Orion Protocol — REKT","type":"news_article","url":"https://rekt.news/orion-protocol-rekt"},{"credibility":2,"name":"Orion Protocol Hack Analysis — BlockApex","type":"research","url":"https://blockapex.io/orion-protocol-hack-analysis/"}]},{"content":"CertiK conducted an audit of Orion Protocol contracts on May 24, 2021; however, the audit's scope was explicitly limited to Orion's token and sale contracts and did not cover the ExchangeWithOrionPool contract that was ultimately exploited. The vulnerable exchange router contract (Ethereum address 0x98a877bb507f19eb43130b688f522a13885cf604) was therefore unaudited at the time of the attack. CertiK's post-exploit analysis noted that the root cause was the contract's lack of reentrancy protection during token swaps: 'the attacker can perform a reentrant call to deposit tokens during the swap, thus causing the deposit tokens to also be counted in the swap process.' SlowMist independently confirmed the same root cause. The audit gap between an audited token contract and unaudited exchange logic represents a common failure pattern in DeFi protocol security.","heading":"Audit Coverage Gap","severity":"high","sources":[{"credibility":2,"name":"Hunting Orion: The $3M Loss from a Reentrancy Attack — CertiK","type":"research","url":"https://www.certik.com/resources/blog/4se364ZqArmcLqzqsvXdUR-hunting-orion-the-usd3m-loss-from-a-reentrancy-attack"},{"credibility":2,"name":"CertiK Orion Skynet Project Page","type":"research","url":"https://skynet.certik.com/projects/orion"},{"credibility":2,"name":"SlowMist: An Analysis of the Attack on Orion Protocol","type":"research","url":"https://slowmist.medium.com/an-analysis-of-the-attack-on-orion-protocol-c7aef70aff83"},{"credibility":2,"name":"Orion CertiK Audit Blog Post — Orion Protocol Blog","type":"official","url":"https://blog.orionprotocol.io/certikaudit"}]},{"content":"Following the exploit, Orion Protocol CEO Alexey Koloskov stated publicly that 'all funds are safe and secure,' and attributed the vulnerability not to core protocol code but to 'a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers.' Co-founder Kal Ali posted on social media: 'Happy that no one were affected by the events. Things like this only make us work harder.' By February 4, 2023, the team published a development update covering bug fixes, UI changes, and backend progress. Koloskov later clarified that the exploit was contained to an internal broker account and that user funds were not affected. The team announced a commitment to develop all future contracts in-house to eliminate reliance on third-party libraries. Security researchers noted that the CEO's initial statement attributing the issue to third-party libraries was disputed by independent on-chain analysis, which identified the root cause as a reentrancy guard omission in the protocol's own swap contract logic.","heading":"Protocol Response and CEO Statements","severity":"medium","sources":[{"credibility":2,"name":"DeFi Protocol Orion Finance Gives Rundown on $3M Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/orion-protocol-post-mortem-details-3m-defi-exploit/"},{"credibility":2,"name":"Orion protocol suffers $3M hack due to third-party vulnerabilities — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/orion-protocol-suffers-3m-hack-due-to-third-party-vulnerabilities/"},{"credibility":1,"name":"Orion Protocol Loses $3M of Crypto in Trading Pool Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/02/orion-protocol-loses-3m-of-crypto-in-trading-pool-exploit"}]},{"content":"After the exploit, approximately 1,100 ETH of the stolen funds were reported to have been deposited into Tornado Cash, a sanctioned privacy mixer, within days of the attack. Approximately $1 million in ETH was reported to remain in the attacker's Ethereum address as of early post-exploit reporting. On-chain analysis by PeckShield later identified a message from the exploiter's wallet indicating the attacker was 'willing to refund funs' (sic) and requesting that Orion Protocol supply a wallet address for the transfer. No verified public confirmation of a completed full or partial fund return has been found in available sources. The use of Tornado Cash to launder a significant portion of the stolen funds substantially reduces the probability of recovery.","heading":"Fund Laundering and Partial Recovery Signals","severity":"high","sources":[{"credibility":2,"name":"Orion Protocol exploiter willing to return stolen funds — Crypto.news","type":"news_article","url":"https://crypto.news/orion-protocol-exploiter-willing-to-return-stolen-funds/"},{"credibility":2,"name":"Orion Hacker Steals $3M, Wants to Give It Back — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/news/2023/02/09/orion-hacker-steals-dollar3m-wants-to-give-it-back/"},{"credibility":1,"name":"Orion Protocol Exploiter Address — Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1"},{"credibility":3,"name":"The Details Surrounding The $3 Million Hack of Orion Protocol — CoinLore","type":"news_article","url":"https://www.coinlore.com/crypto-news/view/the-details-surrounding-the-3-million-hack-of-orion-protocol"}]},{"content":"In 2024, Orion Protocol announced a rebrand and mainnet migration to Lumia, described as a 'hyper-liquid re-stake rollup layer 2 blockchain.' The ORN token was migrated to LUMIA at a 1:1 ratio. Major exchanges including Binance, MEXC, Crypto.com, and CoinSpot supported the token swap, with Binance reopening LUMIA/USDT trading pairs on October 18, 2024. The rebrand represents a significant pivot in the protocol's positioning from a DEX aggregator to a Layer 2 liquidity infrastructure project. The project's new domain operates at orion.xyz. The relationship between the exploit's reputational damage and the timing of the rebrand has not been formally addressed in available public statements.","heading":"Rebranding to Lumia (2024)","severity":"low","sources":[{"credibility":2,"name":"Binance will facilitate users swapping ORN to LUMIA this October — Crypto.news","type":"news_article","url":"https://crypto.news/binance-will-facilitate-users-swapping-orn-to-lumia-this-october/"},{"credibility":2,"name":"Crypto.com Is Supporting the Orion (ORN) to Lumia (LUMIA) Mainnet Token Swap","type":"official","url":"https://crypto.com/en/product-news/orn-to-lumia-mainnet-token-swap-and-rebranding"},{"credibility":2,"name":"MEXC Completes the Orion Protocol (ORN) Token Swap and Rebranding to Lumia (LUMIA)","type":"official","url":"https://www.mexc.com/support/articles/17827791519386"}]},{"content":"Orion Protocol was co-founded by Alexey Koloskov and Kal Ali, who met in early 2018. Koloskov holds a background in applied mathematics (Moscow State University, 2000–2005) and previously served as Chief Architect and Creator of the Waves DEX (waves.exchange), one of the earliest decentralized exchange platforms. He also held CTO roles at Holdvest prior to founding Orion. Kal Ali was previously a founding partner of Kanix, a software development company. Both founders are publicly named and have appeared at industry conferences. Koloskov's LinkedIn and public presence provide verifiable identity signals. No regulatory actions against named founders have been found in available sources.","heading":"Founders and Team","severity":"low","sources":[{"credibility":2,"name":"Alexey Koloskov — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/alexey-koloskov"},{"credibility":3,"name":"Alexey Koloskov — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/alexey-koloskov"},{"credibility":2,"name":"Orion Protocol Profile — Messari","type":"research","url":"https://messari.io/project/orion-protocol/profile"}]}],"sources_used":[{"name":"Orion Protocol Loses $3M of Crypto in Trading Pool Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2023/02/02/orion-protocol-loses-3m-of-crypto-in-trading-pool-exploit"},{"name":"Decentralized exchange Orion Protocol hacked for $3 million — The Block","type":"news_article","url":"https://www.theblock.co/post/208394/decentralized-exchange-orion-protocol-hacked-for-3-million"},{"name":"Hunting Orion: The $3M Loss from a Reentrancy Attack — CertiK","type":"research","url":"https://www.certik.com/resources/blog/4se364ZqArmcLqzqsvXdUR-hunting-orion-the-usd3m-loss-from-a-reentrancy-attack"},{"name":"Orion Protocol — REKT","type":"news_article","url":"https://rekt.news/orion-protocol-rekt"},{"name":"Orion Protocol Hack Analysis — BlockApex","type":"research","url":"https://blockapex.io/orion-protocol-hack-analysis/"},{"name":"SlowMist: An Analysis of the Attack on Orion Protocol","type":"research","url":"https://slowmist.medium.com/an-analysis-of-the-attack-on-orion-protocol-c7aef70aff83"},{"name":"DeFi Protocol Orion Finance Gives Rundown on $3M Exploit — BeInCrypto","type":"news_article","url":"https://beincrypto.com/orion-protocol-post-mortem-details-3m-defi-exploit/"},{"name":"Orion protocol suffers $3M hack due to third-party vulnerabilities — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/orion-protocol-suffers-3m-hack-due-to-third-party-vulnerabilities/"},{"name":"Orion Protocol exploiter willing to return stolen funds — Crypto.news","type":"news_article","url":"https://crypto.news/orion-protocol-exploiter-willing-to-return-stolen-funds/"},{"name":"Orion Hacker Steals $3M, Wants to Give It Back — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/news/2023/02/09/orion-hacker-steals-dollar3m-wants-to-give-it-back/"},{"name":"Orion Protocol Exploiter Address — Etherscan","type":"on_chain","url":"https://etherscan.io/address/0x3dabf5e36df28f6064a7c5638d0c4e01539e35f1"},{"name":"Decoding Orion Protocol's Reentrancy Exploit — QuillAudits","type":"research","url":"https://quillaudits.medium.com/decoding-orion-protocols-reentrancy-exploit-quillaudits-396de59449f7"},{"name":"Binance will facilitate users swapping ORN to LUMIA this October — Crypto.news","type":"news_article","url":"https://crypto.news/binance-will-facilitate-users-swapping-orn-to-lumia-this-october/"},{"name":"Crypto.com Supporting ORN to Lumia Token Swap","type":"official","url":"https://crypto.com/en/product-news/orn-to-lumia-mainnet-token-swap-and-rebranding"},{"name":"Alexey Koloskov — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/alexey-koloskov"},{"name":"Orion Protocol Profile — Messari","type":"research","url":"https://messari.io/project/orion-protocol/profile"},{"name":"CertiK Skynet — Orion Project Page","type":"research","url":"https://skynet.certik.com/projects/orion"},{"name":"Reentrancy Exploit Siphons $3m Off Orion Protocol — Crypto Daily","type":"news_article","url":"https://cryptodaily.co.uk/2023/02/reentrancy-exploit-siphons-3m-off-orion-protocol"}],"summary":"Orion Protocol is a decentralized liquidity aggregator that connects centralized and decentralized exchanges into a single non-custodial trading interface, launched in 2020 with its native ORN token. On February 2, 2023, the protocol suffered a reentrancy exploit that drained approximately $3 million across its Ethereum and Binance Smart Chain deployments through a malicious fake-token attack against an unaudited exchange contract. The protocol subsequently rebranded to Lumia in late 2024, migrating all ORN tokens to LUMIA at a 1:1 ratio.","timeline":[{"date":"2018-01-01","event":"Alexey Koloskov and Kal Ali meet and begin building Orion Protocol concept.","source":"IQ.wiki / Crunchbase","source_url":"https://iq.wiki/wiki/alexey-koloskov"},{"date":"2020-01-01","event":"Orion Protocol officially launches with its ORN ERC-20 token.","source":"ICO Drops / Phemex Academy","source_url":"https://icodrops.com/orion-protocol/"},{"date":"2021-05-24","event":"CertiK completes audit of Orion Protocol's token and sale contracts. The ExchangeWithOrionPool contract is not included in the audit scope.","source":"CertiK Blog","source_url":"https://www.certik.com/resources/blog/4se364ZqArmcLqzqsvXdUR-hunting-orion-the-usd3m-loss-from-a-reentrancy-attack"},{"date":"2023-02-02","event":"Reentrancy exploit drains approximately $2,836,206 from Orion Protocol's Ethereum deployment and $191,030 from BSC, totaling roughly $3 million. Attacker uses a custom malicious token (ATK) and flash-loaned stablecoins.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/02/02/orion-protocol-loses-3m-of-crypto-in-trading-pool-exploit"},{"date":"2023-02-02","event":"PeckShield and CertiK first identify and publicize the attack. CEO Alexey Koloskov states 'all funds are safe and secure' and attributes the vulnerability to third-party library mixing.","source":"CryptoSlate","source_url":"https://cryptoslate.com/orion-protocol-suffers-3m-hack-due-to-third-party-vulnerabilities/"},{"date":"2023-02-02","event":"Approximately 1,100 ETH of stolen funds are deposited into Tornado Cash by the attacker.","source":"CoinLore / U.Today","source_url":"https://u.today/orion-protocol-hacked-3-million-lost-heres-how"},{"date":"2023-02-04","event":"Orion Protocol publishes a development update with bug fixes and UI changes. CEO clarifies exploit was contained to an internal broker account; user funds reported unaffected.","source":"BeInCrypto","source_url":"https://beincrypto.com/orion-protocol-post-mortem-details-3m-defi-exploit/"},{"date":"2023-02-09","event":"PeckShield reports an on-chain message from the exploiter's wallet stating willingness to return stolen funds and requesting a refund address from Orion Protocol. No confirmed return is documented in available sources.","source":"Crypto.news","source_url":"https://crypto.news/orion-protocol-exploiter-willing-to-return-stolen-funds/"},{"date":"2024-10-15","event":"Orion Protocol begins token migration to Lumia (LUMIA) at a 1:1 ratio. Binance, MEXC, Crypto.com, and other major exchanges support the swap. Binance reopens LUMIA/USDT trading on October 18, 2024.","source":"Crypto.news","source_url":"https://crypto.news/binance-will-facilitate-users-swapping-orn-to-lumia-this-october/"}]},"v":1}