Yet another security breach has left the world aghast when one of the most popular DeFi protocols built on the Arbitrum blockchain, named Orange Finance, lost more than $840,000 to hackers. The attacker, who broke into the platform by attacking the vulnerabilities in the smart contracts, compromised the admin address and successfully withdrew funds from the system.

According to Cyvers Alerts, the stolen funds were immediately converted to ETH, making it very difficult to trace the assets or recover them. Though the Orange Finance team is actively investigating the incident, information on how the hack occurred remains scarce.

Users have been advised to not interact with the affected smart contracts and revoke any approvals granted to Orange Finance. The team confirmed that the compromised contract is no longer under their control, and they are working to secure the platform and prevent further losses.

Orange Finance also sent the hacker a message through Arbiscan, a blockchain explorer for Arbitrum, offering him a deal for the return of the funds stolen. It’s uncertain what the outcome of the situation would be, as it is currently an amicable approach by the team.

Orange Finance wrote, “We have an offer related to this matter. Please contact us at “[email protected]” to discuss it. If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack.”

This attack highlights the persistent risks associated with DeFi platforms, especially those related to vulnerabilities in smart contracts. Users should be careful and vigilant with their digital assets, especially when interacting with platforms that have recently had security incidents.

Orange Finance assures the community to keep posted on updates about their investigations and attempts to recover stolen funds. This will be provided as and when available.

The Aave community is considering a proposal to withdraw its lending services from Polygon’s PoS chain due to concerns about security risks linked to bridged assets.

This follows a proposal from the Polygon community to use over $1 billion in bridge assets for yield generation, which raised concerns about potential vulnerabilities. Aave, the largest decentralized app on Polygon with over $466 million in deposits, is worried that these changes would increase the risk to users.

Marc Zeller, the founder of Aave Chan, authored the proposal to adjust risk parameters for Aave’s Version 2 and Version 3 protocols on the Polygon network.

He wants to protect the protocol from future security issues, citing past incidents where bridge vulnerabilities led to major losses in the DeFi ecosystem, such as the Ronin, BNB “Bridge,” Nomas, Multichain, Harmony, and Wormhole hacks.

Zeller said, “The adjustments are in response to an upcoming proposal that will significantly impact the risk profiles of bridged assets within the Polygon network.”

The proposal suggests making significant adjustments to reduce security risks and encourage migration from the Polygon network.  It includes setting the loan-to-value (LTV) for all assets on Aave V2 and V3 on Polygon to 0%, making borrowing impossible.

The reserve would be raised to 85%, discouraging deposits and promoting migration. Aave also plans to remove support for Aave V3 Polygon in the Safety Module and cancel the umbrella deployment on Polygon.

Additionally, the proposal recommends migrating Aave Governance V3 voting to a more secure Layer 2 network, freezing reserves for key assets like USDC.e, USDT, wETH, wstETH, DAI, wBTC, AAVE, LINK, GHST, EURS, and StMATIC, gradually reducing LTV for bridged assets. These changes aim to enhance security and incentivize users to move away from Polygon.

Last week, Allez Labs, in collaboration with DeFi protocols Morpho and Yearn, proposed a plan to deploy around $1.3 billion in stablecoin reserves from the Polygon PoS bridge into lending protocols to generate yield. The proposal highlighted that the idle reserves are causing an opportunity cost of about $70 million annually. However, the Polygon community has yet to vote on the proposal.

Zeller cites concerns about the security risks of using funds from the canonical bridge. He warned that rehypothecation of user deposits in liquidity pools could expose them to bad debt and significant risks, unlike safer strategies employed by other chains, such as liquid staking, or MakerDAO’s savings rate.

While the Polygon proposal is still in the early discussion stage, Polygon Labs has emphasized that security will be a priority as it moves forward with any yield-generation strategies.