Origin Protocol confirmed that its stablecoin, Origin Dollar (OUSD) has been hacked for around $7 million in Ethereum and DAI. Origin hack has become at least the fourth decentralized finance (DeFi) project hacked less than in a month.
November 17, 2020 | AtoZ Markets – During the wee hours of November 17, unknown persons hacked the Origin Dollar (OUSD) stablecoin network and withdrew user funds worth more than $7 million, Origin co-founder Matthew Liu said.
Unfortunately OUSD was hacked 2 hours ago and there has been a loss of funds. The @OriginProtocol team is all-hands on deck working on resolving this issue. Please do not buy or mint OUSD right now. New updates will be coming every few minutes.https://t.co/D4qTwvnYoM— Matthew Liu (@matthewliu) November 17, 2020
How was Origin Dollar hacked?
An attacker took advantage of a network smart contract re-entry vulnerability. The value of the OUSD stablecoin is calculated using three other stablecoins: USDT, USDC and DAI.
“The attacker used the instant loan to manipulate the protocol for his own benefit. This allowed him to trigger the process of rebalancing the stablecoin and artificially inflate the OUSD offer, ”said Matthew Liu.
The cracker sold the stolen coins on Uniswap and Sushiswap for ETH, USDT, and DAI.
Now, one of the attacker’s wallets still contains 7137 ETH and 2.2 million DAI.
According to analyst Frank Topbottom, in total, the attacker managed to withdraw about $ 7.7 million.
5/8— Frank Topbottom (@FrankResearcher) November 17, 2020
After this manipulation attacker made:
– 7 transactions in which he redeemed his OUSD
– 2 transactions to swap 300k OUSD to USDT on Uniswap
– 4 transactions with profit collection (swap all USDT and USDC for ETH on Uniswap and withdraw DAI and ETH from attack contract)
He also drew attention to a similar attack vector with Akropolis and noted that the hacker left the Easter egg as an optional function with the address involved in hacking the Value DeFi project.
7/8— Frank Topbottom (@FrankResearcher) November 17, 2020
2. Curve for swap 120 WBTC to ~120 renBTC
3. REN for withdrawal ~120 BTC to four addresses:
Origin has already contacted exchanges in an attempt to freeze funds and identify the attacker.
The hacker is known to have used the Tornado Cash mixer and renBTC coins to launder and transfer funds.
In the coming days, the company intends to recover the lost funds and discuss a possible compensation plan for the affected OUSD owners.
The ability to make deposits is temporarily disabled. Users were advised to temporarily stop buying OUSD on the Uniswap and Sushiswap exchanges, as the current prices do not correspond to the fundamental value of the Origin Dollar.
Message to Origin hacker
Origin has extended an invitation to the hacker to voluntarily return the stolen funds. In addition, Origin has promised not to contact law enforcement and even hire him as a security consultant.
An attack stablecoin OUSD fell by 85% – to $0.14, according to CoinGecko.
Earlier, CipherTrace analysts reported that since the beginning of 2020, the damage from hacking DeFi-protocols exceeded has $99 million.
Think we missed something? Let us know in the comment section below.