Origin's decentralized finance (DeFi) protocol was hacked on November 16, lost more than $ 7M.
An attacker exploited a vulnerability in the Origin stablecoin contract (OUSD) and withdrew most of the tokens. Origin stablecoin is backed by three other stablecoins: Tether (USDT), USDC from Circle and Coinbase, and DAI from MakerDAO.
Matthew Liu, the co-founder of Origin, said “An attacker took advantage of the lack of re-validation in multiple coins (when issuing OUSD with multiple stablecoins) to issue a counterfeit stablecoin for themselves,” Liu said, "He received more OUSD than was in the contract."
A researcher nicknamed Frank Topbottom analyzed the attack in detail and concluded that flash credit was used to implement it. The attacker took a flash loan of 70,000 ETH on the dYdX decentralized exchange and exchanged those ETH for USDT and DAI for Uniswap. They then exploited a vulnerability in the Origin smart contract and issued additional OUSDs.
Additional OUSD tokens were exchanged for ETH and DAI through Uniswap and SushiSwap. According to Topbottom, the attacker was able to embezzle about $ 7.7 million in 11,804 ETH and 2,249,821 DAI.
Origin is currently analyzing the attack in detail and is expected to release a full report shortly. Liu urged users not to buy OUSD on Uniswap or SushiSwap as current prices do not reflect the underlying assets of the stablecoin. On Uniswap, OUSD is trading around $ 0 and has no liquidity.
The well-known crypto fund Pantera Capital invested $ 3 million in the Origin project in 2017.