Orange Finance Admin Key Compromise
Orange Finance on Arbitrum lost ~$844K after its admin key was compromised, used to alter strategy contracts and withdraw managed Uniswap v3 positions.
- Date
- Victim
- Orange Finance
- Chain(s)
- Status
- Funds Stolen
On January 23, 2024, the Arbitrum liquidity-management protocol Orange Finance lost approximately $844,000 after its operator/admin key was compromised. The attacker used legitimate admin functions to modify strategy contracts and withdraw the protocol's managed Uniswap-v3 positions.
What happened
Orange's automated LP strategies were controlled by an admin/operator key. The key was compromised (vector undisclosed; consistent with endpoint/credential theft). The attacker invoked legitimate privileged functions to redirect and withdraw managed liquidity — no contract bug required.
Aftermath
- Orange paused, rotated keys, and pursued limited recovery.
Why it matters
Orange Finance is one more small data point on the catalogue's largest single line: single admin/operator keys are the actual security model regardless of contract quality. It sits on the same line as EasyFi ($81M), Steadefi ($1.14M), and Bybit ($1.46B) — six orders of magnitude of loss, identical root cause. The defence is invariant across the scale: hardware-wallet-only signing, multi-sig with independent signers, timelocked admin actions, and the operating assumption that any single key-holder's machine is already compromised. The amount differs; the lesson does not.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-orange-finance-hack-january-2024
- [02]crypto.newshttps://crypto.news/arbitrums-largest-liquidity-manager-orange-finance-loses-840k-in-hacker-attack/
- [03]rekt.newshttps://rekt.news/orange-finance-rekt