Origin Protocol‘s yield-generating stablecoin project OUSD has been the target of a re-entrance attack, which resulted in the loss of assets worth $7 million, the protocol’s team said in a blog post on 17 November.
According to the announcement, the project has already disabled deposits to the OUSD vault, and has warned users to not purchase OUSD from Uniswap or SushiSwap, as their prices “do not reflect OUSD’s underlying assets”. It was also revealed that out of the stolen $7 million worth of assets, which included Dai and Ethereum (ETH), $1 million were deposited by the firm, its founders and employees.
After getting alerted of the attack, the firm moved quickly to investigate the issue, and find the exact nature of how the hack was carried out. According to an update from Origins’s founder, Matthew Liu, the unknown attacker utilized a 70,000 ETH flash loan from dYdX to exploit a vulnerability in the OUSD contracts. By artificially inflating the supply of the stablecoin within the protocol, at one point the hacker held more than 38 million OUSD, which exceeded the value of the vault. He then used the newly minted OUSD tokens to acquire USDT through SushiSwap and Uniswap.
The blog post explains:
“The attacker exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake ‘stablecoin’ under their control. This ‘stablecoin’ was then called ‘transferFrom’ on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint.”
Origin’s team is currently doing their best to recover the missing funds, but a substantial amount has already been laundered through Tornado.Cash, wBTC, and renBTC. The project is expected to release a full post-mortem of the event in the following days, as well as a post outlying their plans to compensate affected users.