VERDICT —OUT OF SCOPE
Root cause is private-key / signer compromise — the on-chain contract behaved exactly as written. No pre-deployment source audit or bytecode review reaches the key-custody perimeter; this is operational-security territory (HSM/MPC hygiene, key rotation, hot-wallet isolation). Bytecode would show nothing wrong.
▰ METHOD
PRIVATE KEY
PRIVATE-KEY
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
The Arbitrum-based liquidity management project Orange Finance suffered a $830,000 asset theft due to a misconfigured multi-sig. The attacker gained ownership of each vault, modified their implementations, and withdrew both the deposited assets and excessively approved funds. About 94% (roughly $780,000) of the total loss came from deposited assets, while the remaining 6% (around $47,000) resulted from excessive approvals. Attack method (per SlowMist): Private Key Leakage. Reported loss: $ 830,000.
Primary source
https://mirror.xyz/0x6FA2aF9a4d6fFe654361F713780963C10412e7c3/gN17YMrLhKKg9YT9a391U74pWr9IhqBUDWUqDyDamjE ↗Sourced from
slowmist
Technical record
- chain
- arbitrum
- protocol
- Orange Finance
- bug_class
- private-key
- date_occurred
- 2025-01-08
- loss_usd
- $830,000
- source_id
- sm:orange-finance::2025-01-08
Related — same bug class· private-key