ORE smart contract bug let attacker drain 25.5 SOL from staking program

A smart contract vulnerability in ORE’s staking program allowed an attacker to improperly claim 25.5 SOL, roughly $2,125, from the protocol’s yield mechanism. The exploit was disclosed on June 17, and while the dollar amount is modest by crypto exploit standards, the incident forced ORE to require all stakers to migrate to an entirely new contract before they can start earning rewards again.

What happened and what ORE is doing about it

ORE is a proof-of-work mining protocol built on the Solana blockchain. The protocol allows miners to stake either SOL or ORE tokens and earn yield generated through protocol revenue, not through token inflation.

The bug in question was located within the staking program’s smart contract. It gave an attacker the ability to claim yield they weren’t entitled to. The protocol has confirmed that user deposits themselves remain secure, meaning the vulnerability was isolated to the yield distribution mechanism rather than the underlying staked assets.

On May 29, about three weeks prior to the disclosure, the protocol froze its staking program as part of a broader security upgrade. That initiative was aimed at permanently locking the contract policy to eliminate potential upgrade authority risks, essentially removing the ability for anyone, including the team, to modify the contract after deployment.