1 hour ago
1
A smart contract vulnerability in ORE’s staking program allowed an attacker to improperly claim 25.5 SOL, roughly $2,125, from the protocol’s yield mechanism. The exploit was disclosed on June 17, and while the dollar amount is modest by crypto exploit standards, the incident forced ORE to require all stakers to migrate to an entirely new contract before they can start earning rewards again.
What happened and what ORE is doing about it
ORE is a proof-of-work mining protocol built on the Solana blockchain. The protocol allows miners to stake either SOL or ORE tokens and earn yield generated through protocol revenue, not through token inflation.
The bug in question was located within the staking program’s smart contract. It gave an attacker the ability to claim yield they weren’t entitled to. The protocol has confirmed that user deposits themselves remain secure, meaning the vulnerability was isolated to the yield distribution mechanism rather than the underlying staked assets.
On May 29, about three weeks prior to the disclosure, the protocol froze its staking program as part of a broader security upgrade. That initiative was aimed at permanently locking the contract policy to eliminate potential upgrade authority risks, essentially removing the ability for anyone, including the team, to modify the contract after deployment.
The fix requires stakers to migrate to a new smart contract. Until they do, yield accumulation is paused. No timeline has been publicly shared for how long the migration window will remain open or when a full post-mortem analysis will be published.
What this means for stakers and investors
For current ORE stakers, the immediate action item is clear: migrate to the new contract. Failing to do so means sitting on assets that aren’t generating any yield.
ORE has undergone several iterations since it first launched in early 2024. The protocol communicated the breach primarily through social media, and detailed information regarding the attacker or a comprehensive post-mortem analysis remains undisclosed.
The vulnerability here was in ORE’s staking logic, not in Solana’s infrastructure. Investors evaluating smaller DeFi protocols should treat this as a case study in why audit reports are necessary but not sufficient. ORE had been actively improving its security posture, had frozen its staking program for upgrades, and still ended up with an exploitable bug.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) · 