Origin Protocol

Origin Protocol Hack - November 2020

Overview

Origin Protocol, which issues the OUSD stablecoin, fell victim to a flash loan attack that occurred in the early hours of Tuesday, November 17, 2020. The loss of funds was around $7 million, including over $1 million in funds deposited by Origin and its founders and employees.

Technical Details

The attack was a reentrancy bug in the contract that was safe from such bugs unless one of the supported stablecoins was attacking. The attacker exploited a missing validation check in the mint multiple function to pass in a fake "stablecoin" under their control, which was then called "transferFrom" by the vault, allowing the hacker to exploit the contract with a reentrancy attack.

The attacker created a rebase event inside the second mint after funds had moved to OUSD from the first large mint but before the supply increased, creating a massive rebase for everyone in the contract including the attacker, and then received their first large OUSD mint, giving them in total more OUSD than the contract had assets.

Impact

Following the attack, the value of the OUSD stablecoin plunged and traded at $0.15 per token on November 17, representing an 85% decline from its dollar peg.

Fund Tracking

The attacker used both Tornado Cash and renBTC to wash and move funds, with 7,137 ETH and 2.249M DAI sitting in one of the attacker's wallets at the time.

Sources

• https://news.bitcoin.com/origin-defi-protocol-suffers-massive-flash-loan-attack-ousd-stablecoin-value-plunges-85/

• https://beincrypto.com/origin-dollar-loses-7-million-in-flash-loan-defi-exploit/

• https://blog.originprotocol.com/urgent-ousd-has-hacked-and-there-has-been-a-loss-of-funds-7b8c4a7d534c

• https://blog.peckshield.com/2020/11/17/ousd/

• https://www.coindesk.com/markets/2020/11/17/origin-protocol-loses-7m-in-latest-defi-attack/