In the early hours of November 17, unknown hackers breached the Origin Dollar (OUSD) stablecoin network and withdrew user funds totaling more than $7 million. This was reported by Origin co-founder Matthew Liu.
Unfortunately OUSD was hacked 2 hours ago and there has been a loss of funds. The @OriginProtocol team is all-hands on deck working on resolving this issue. Please do not buy or mint OUSD right now. New updates will be coming every few minutes.https://t.co/D4qTwvnYoM
— Matthew Liu (@matthewliu) November 17, 2020
The attacker used a re-entrancy vulnerability in the network’s smart contract.
The value of OUSD is pegged to a basket of three other stablecoins: USDT, USDC and DAI.
“The attacker exploited a flash loan to manipulate the protocol for his own gain. This allowed him to trigger the rebalancing of the stablecoin and artificially inflate the supply of OUSD,” said Matthew Liu.
The stolen tokens were sold on Uniswap and Sushiswap for ETH, USDT and DAI.
One of the attacker’s wallets still holds 7,137 ETH and 2.2 million DAI.
According to analyst Frank Topbottom, the attacker managed to withdraw about $7.7 million in total.
6/8
Finally, he used SELFDESTRUCT for destroying the contract.
As a result, the attacker was able to get ~$7.7M:
— 2,249,821 DAI
— 11,804 ETH
Also, the attacker deposited 333 ETH to Tornado Cash and tried to wash money using:
1. Uniswap for swap ~4338 ETH to 120 WBTC— Frank Topbottom (@FrankResearcher) November 17, 2020
He also drew attention to a similar attack vector with Akropolis and noted that the hacker left a ‘Easter egg’ in the form of an optional-to-fill function with an address connected to the Value DeFi breach.
8/8
Fun fact: an unnecessary argument *address* was used in collect() function called by the attacker, which is the address of @value_defi hacker. Whether this address is an easter egg, whether one attacker belongs to two hacks, or just trolling, we probably won’t know for sure. pic.twitter.com/Grkm32IHCW— Frank Topbottom (@FrankResearcher) November 17, 2020
Origin has also drawn attention to a similar attack vector with Akropolis and noted that the hacker drew attention to a similar attack vector with Akropolis and noted that the hacker left a “Easter egg” in the form of an optional-to-fill function with an address connected to the Value DeFi breach.
Origin has already contacted exchanges in an attempt to freeze the funds and identify the attacker.
The hacker used the Tornado Cash mixer and renBTC coins to launder and move funds.
In the coming days the company intends to recover the lost funds and discuss a possible compensation plan for affected OUSD holders.
Deposit functionality is temporarily disabled. Users were advised to refrain from buying OUSD on Uniswap and Sushiswap, as current prices do not reflect the “fundamental” value of Origin Dollar.
Origin has offered the hacker to return the funds voluntarily, promising not to involve law enforcement and even hire him as a security consultant.
As a result of the attack, the OUSD stablecoin has devalued by 85% — to $0.14, according to CoinGecko.
Earlier, CipherTrace reported that since the start of the year losses from DeFi protocol hacks have exceeded $99 million.
Subscribe to ForkLog news on Telegram: ForkLog Feed — full news feed, ForkLog — the most important news and polls.