Flash Loan Attack Dupes Origin Protocol of $7 Million Funds, Investigation Underway
Another week, another flash loan attack on a yield-generating blockchain protocol.
Origin Protocol Compromised
In an announcement made earlier today, the Co-Founder of Origin Protocol, Matthew Liu told the Origin community that Origin Dollar (OUSD) – the yield-generating stablecoin on the protocol – had been hacked.
Notably, the protocol has been hacked to the tune of $7 million which includes more than $1 million deposited by Origin and its founders and employees. The funds most comprised of decentralized stablecoin DAI and ether (ETH), the announcement reads.
For the uninitiated, Origin Protocol unveiled the OUSD stablecoin in September this year aiming to tap into the rapidly evolving DeFi market.
Although there is still no certainty as to how exactly the attack was carried out, the Origin team noted a suspicious flash-loan transaction that could be “the root of the attack.” The transaction cost more than half ETH (0.54 ether) to complete, data shows.
What Do We Know So Far?
In the investigation following the attack, several facts have come to light.
First, the Origin Protocol is actively working with exchanges and other third-parties to potentially identify the hackers and/or freeze funds from being liquidated.
Further, the team has traced the stolen funds and now knows that the hacker used both Tornado Cash and renBTC to “wash and move funds.”
At the time of writing, there is still 7,137 ETH and 2.249 million DAI sitting in one of the attacker’s wallets.
According to the announcement, the attack was a reentrancy bug in one of Origin’s contracts. Unfortunately, the protocol’s contracts were safe from reentrancy bugs unless one of its own supported coins was attacking it.
The announcement urges users to not buy OUSD on Uniswap or Sushiswap as the token’s current prices do not correctly capture OUSD’s underlying assets.
The team has also urged the hacker to “do the right thing and return the funds.” In return, for their superior skills as a hacker, the protocol has promised to hire the hacker as a security consultant.
In related news, BTCManager reported that DeFi protocol bZx had suffered its third major hack of the year, resulting in the loss of funds to the tune of $8 million. These funds, however, were swiftly recovered by the protocol.