#What happened in the ORE staking program?
A vulnerability in ORE's staking program allowed an attacker to improperly claim 25.5 SOL, valued at approximately $2,125, from the protocol’s yield distribution system. This incident was disclosed on June 17. While the amount taken may seem minor compared to other exploits in the crypto space, it triggered an immediate response from ORE, necessitating that all stakers migrate to a completely new smart contract to resume earning rewards.
ORE operates on the Solana blockchain as a proof-of-work mining protocol. This innovative protocol permits miners to stake SOL or ORE tokens and earn yield based on protocol revenue, rather than relying on token inflation, which is a critical feature for many investors.
When examining the nature of the vulnerability, it was specifically found within the staking program's smart contract. This flaw allowed an unauthorized user to claim yield they had no right to. Thankfully, the protocol has assured its users that their deposits remain secure, indicating the issue was confined only to how yield was distributed and did not affect the actual staked assets.
#What steps is ORE taking to address the vulnerability?
About three weeks before the disclosure, on May 29, ORE had proactively frozen its staking program as part of a broader security upgrade. This necessary action aimed at permanently securing the contract by eliminating any upgrade authority risks, essentially ensuring that the contract could not be modified post-deployment, even by the team itself.
The resolution to this situation involves stakers migrating to a new smart contract. Until this crucial step is completed, yield accumulation has been halted. However, ORE has not yet provided a public timeline regarding how long the migration window will remain open or when a comprehensive post-mortem analysis will be available.
#What does this mean for investors and current stakers?
The immediate action for current ORE stakers is straightforward: migrate to the new contract as soon as possible. Stakers who delay this migration risk holding assets that are not generating any yield during this pause.
ORE has undergone several refinements since its launch in early 2024. The protocol primarily communicated this breach through social media channels. However, they have not disclosed detailed information regarding the attacker or a thorough post-mortem analysis.
It's important to note that the vulnerability lies within ORE’s staking logic and not within Solana’s infrastructure. Investors, particularly those considering smaller DeFi protocols, should take this incident as a case study highlighting the need for diligent audit reports. Despite ORE’s efforts to enhance its security measures and its prior decision to freeze its staking program for these upgrades, an exploitable bug still emerged.