White hat hackers save Arbitrum-based protocol from Orange Finance-style contract attack

A white hat hacker managed to claw back $1.47M in USDC from a recent smart contract exploit that hit the Moby Trade options protocol on Arbitrum. While the ethical hackers did not mention the protocol, it was later identified as the Moby futures market.

Just a day earlier, Orange Finance and Stryke Protocol saw a similar exploit that hijacked funds via exploited smart contracts.

One of the first major exploits of 2025 has been partially reversed by a white hat on-chain programmer. Apparently, after the hacker gained access to the smart contract, it still allowed third parties to make changes and drain the funds. 

This is the second attack where the hacker gains control and changes a smart contract. The attacks have affected protocols on two consecutive days, with Orange Finance, Stryke Protocol, and Moby Trade affected so far.

On-chain expert @tonykebot, developer at Solayer Labs, managed to reclaim $1.5M in USDC, even though the exploiter still made away with WETH and WBTC before the intervention.

At the moment the exploit was identified, the vulnerable contracts contained 1.47M USDC, 3.7 WBTC, and 206.9 WETH. The initial report was of a partial fund drain, where mostly WETH was transferred to the main network and exchanged. 

The amounts stolen pointed to Moby Finance, a liquidity app for Arbitrum and Berachain. So far, no connection has been discovered between the two incidents, though they take a similar approach of attacking contracts with significant liquidity locked.

We just automatically hacked the hacker and rescued 1.4M USDC!

100% of fund were returned to the project owner

> 🧵 Here's how the hacker is whitehat-hacked pic.twitter.com/R3SF5hIZnh

— Tony KΞ (@tonykebot) January 9, 2025

While the analysts did not mention the protocol or the reason for the exploit, they managed to track and retrieve funds on the Arbitrum L2 chain. The white hat hackers made a call to the compromised contract, taking some of the funds into safe custody.

On-chain researcher and Solayer labs developer Chaofan Shou also noted the transaction, identifying the white hat approach a few hours earlier. 

The attempted Moby Protocol hack was prevented in a single transaction, saving a total of $1.47M.

The victims of the earlier attack, Orange Finance and Stryke, also sent out a message to their hacker, even though so far, the only funds saved are from frozen contracts.

Moby Finance tells users to revoke permissions

Similar to the Orange Finance hack, Moby Finance urged users to stop interacting with its contracts and revoke permissions through legitimate links. 

As some of the funds on Moby Finance were tied to decentralized trades and options positions, the app is reportedly prepared to compensate users at the most favorable price. Withdrawals and deposits were closed after the initial attack, but when they reopen, the project will ensure enough withdrawal liquidity through its treasury. 

Initially, the protocol was supposed to open again this Thursday but will remain inactive longer to perform a full investigation. In addition to attracting on-chain researchers and ethical hackers, Moby Finance is also working with state authorities for a more thorough investigation.

Arbitrum-based Orange Finance blames compromised private keys 

Orange Finance pointed to private key leakage as the main source of the exploit and said that was why the hacker could make changes to the contracts. About 50% of the TVL from the contracts is secured on Stryke Protocol, which has also stopped deposits and withdrawals. 

While the direct amount of losses was relatively small on the crypto scale, Orange Protocol was still key to the Arbitrum ecosystem. The chain locks in $2.93B in its DeFi protocols, carrying a total of 672 protocols of varying sizes. 

Arbitrum mirrors Ethereum blockchain apps on a smaller scale, also carrying versions of Aave (AAVE), Uniswap, and other lending and DEX protocols. 

The biggest losses may be incurred by Orange Finance and Stryke liquidity providers, who are unable to control their stakes. The contracts will remain locked, with no deposits or withdrawals. However, the white hat hackers are preparing to redistribute the funds safely.

Following the news, ARB tokens traded near their lower range for the week at $0.76. Arbitrum remains the most liquid host of stablecoins, holding $6.28B in various tokens. Arbitrum’s DeFi protocols are already attracting hackers, with a mix of phishing and smart contracts exploits already reported this year.

Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap