DeFi protocol Origin gets attacked, loses $7 million

Decentralized finance (DeFi) protocol Origin was exploited late Monday night and lost nearly $7 million worth of funds.

The amount includes user funds, as well as $1 million worth of deposits by Origin founders and employees. The attacker exploited Origin Protocol's Origin Dollar (OUSD) vault and drained most of its stablecoins. OUSD is Origin's native stablecoin, backed by three other stablecoins: Tether (USDT), Circle and Coinbase's USDC, and MakerDAO's DAI.

The exploit resulted in the attacker gaining at least 7,137 ETH (worth about $3.3 million) and 2.25 million DAI (worth about $2.25 million). How did the funds move out of the OUSD vault to the attacker's wallets?

Matthew Liu, Origin's co-founder, said a reentrancy bug in Origin's smart contracts made the attack possible. Such bugs can allow attackers to withdraw more funds from a contract than they are eligible for via re-entrancy.

"The attacker exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake 'stablecoin' under their control," said Liu. "This 'stablecoin' was then called 'transferFrom' on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint."

"The attacker was able to create a rebase event inside the second mint after funds had moved to OUSD from the first large mint, but before the supply of OUSD increased. This created a massive rebase for everyone in the contract, including the attacker. The attacker then also received their first large OUSD mint, giving them in total more OUSD than the contract had assets."

The attacker then sold the extra OUSD on Uniswap and SushiSwap for USDT, said Liu. They also used crypto-mixing service Tornado Cash and wrapped bitcoin renBTC "to wash and move funds," Liu noted.

Flash loan 

Crypto researcher who goes by the name "Frank Topbottom" analyzed the attack in detail and said a flash loan was used in the process. The attacker took a flash loan of 70,000 ETH from decentralized exchange dYdX and swapped these ETHs into USDT and DAI on Uniswap. They then rebased Origin's contract and minted extra OUSD with USDT.

Specifically, the malicious contract which the attacker used had a "transferFrom()" function, Topbottom told The Block. This function gave the attacker the ability to use the contract as a token. "During the call of transferFrom() function, there was a second call of the mint() function. The call of mint() function occurred inside the execution of another mint() function [mintMultiple()]. This is how re-entrancy took place and allowed the attacker to cause additional rebasing and inflate OUSD supply," Topbottom told The Block. 

The extra OUSD coins were then swapped into ETH and DAI on Uniswap and SushiSwap. According to Topbottom, the attacker was able to pocket about $7.7 million in the form of 11,804 ETH and 2,249,821 DAI.

Put simply, by exploiting the rebase function of Origin and minting the extra OUSD at no cost, the attacker was able to withdraw real stablecoins.

Origin is currently analyzing the attack in detail and is expected to post more updates soon. Meanwhile, Liu has urged users to not buy OUSD on Uniswap or SushiSwap as the current prices do not reflect the stablecoin's underlying assets. OUSD is currently worth near $0 and has no liquidity, according to Uniswap.

OUSD was launched by Origin this September to work like a savings account. Origin is backed by venture firm Pantera Capital, which led its $3 million round in 2017.