DeFi protocol Origin gets attacked, loses $7 million

Quick Take

  • DeFi protocol Origin was exploited late Monday night and lost about $7 million.
  • A reentrancy bug in Origin’s smart contracts led to the attack. 

Decentralized finance (DeFi) protocol Origin was exploited late Monday night and lost nearly $7 million worth of funds.

The amount includes user funds, as well as $1 million worth of deposits by Origin founders and employees. The attacker exploited Origin Protocol's Origin Dollar (OUSD) vault and drained most of its stablecoins. OUSD is Origin's native stablecoin, backed by three other stablecoins: Tether (USDT), Circle and Coinbase's USDC, and MakerDAO's DAI.

The exploit resulted in the attacker gaining at least 7,137 ETH (worth about $3.3 million) and 2.25 million DAI (worth about $2.25 million). How did the funds move out of the OUSD vault to the attacker's wallets?

Matthew Liu, Origin's co-founder, said a reentrancy bug in Origin's smart contracts made the attack possible. Such bugs can allow attackers to withdraw more funds from a contract than they are eligible for via re-entrancy.

"The attacker exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake 'stablecoin' under their control," said Liu. "This 'stablecoin' was then called 'transferFrom' on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint."

"The at