DeFi Protocol Origin Lost Nearly $7 Million In a Major Exploit

Following Value DeFi’s flash loan attack, Origin Protocol has become the latest decentralized finance (DeFi) protocol to suffer an exploit. This exploit also occurred through a flash loan of Ether. In this exploit, the protocol lost $7 million worth of funds. This time the attacker did not return any funds back to the protocol. Reportedly, the native digital token of Origin OUSD was attacked and drained out by hackers.

A Flash Loan was used by the attacker

Reportedly, the attacker used a flash loan to conduct this exploit. A flash loan of around 70,000 ETH was taken out by the attacker from a major decentralized exchange (DEX) dYdX. The attacker, then, exchanged this flash loan into two stablecoins DAI and Tether (USDT) in a swap on the top-ranked decentralized exchange Uniswap.

Extra OUSD coins were minted with Tether by rebasing the contract of Origin. While analyzing the attack in further detail,  the cryptocurrency researcher Frank Topbottom said that a “transferFrom()” function was there in the contract that was used by the attacker due to which he was able to make use of it as a token.

While providing an update on the attack, the Co-Founder of Origin Matthew Liu said:

“The attacker exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake ‘stablecoin’ under their control. This ‘stablecoin’ was then called ‘transferFrom’ on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint.”

Attacker drained $7 million

The attacker was able to drain nearly $7 million in Ether and DAI. An amount of 7,137 ETH and 2.25 million worth of DAI tokens were stolen. Not only users’ funds were involved in these exploited funds but $1 million worth of deposits made by the employees and founders of Origin were also present in it.

Liu has warned users not to purchase any OUSD coin on Sushiswap or Uniswap. He also said that they would be taking some measures in a bid to retrieve these stolen funds.

Leave a Reply

Your email address will not be published.