Origin Protocol Emptied of $7 million in Yet Another Flash Loan Attack

Key Takeaways

  • Origin Protocol suffered a flash loan attack last night, leading to losses of $7 million.
  • The Origin Protocol team has announced its plans to compensate affected users. An investigation into the incident is ongoing.
  • Attack is the latest in a string of multi-million dollar losses resulting from flash loan exploits.

Share this article

Origin Protocol has been drained of $7 million. The incident occurred late last night as part of a sophisticated attack involving a 70,000 ETH flash loan.

Origin’s co-founder Matthew Liu took to Twitter to share details of the attack, urging users to avoid buying or minting OUSD. OUSD is Origin’s native token. It is a stablecoin roughly pegged to the U.S. dollar, and it’s designed to provide yield to its holders.

But following last night’s attack, the token’s value plummeted 85% to around $0.14. The sudden price drop has left anyone with significant OUSD holdings facing substantial losses. 

Origin Protocol has posted an initial synopsis of the incident.

After borrowing over $32 million worth of ETH, the attacker took advantage of a reentrancy bug in Origin’s contract. They successfully executed a rebase event to increase the supply of OUSD before swapping their takings on Uniswap and Sushiswap.

A rebase event is essentially a process in which an asset’s reserves are increased. It’s an innovation that’s been embraced in DeFi recently, though not always with positive results. In August, Yam Finance memorably suffered a catastrophe partly as a result of its rebasing mechanism. 

The attacker’s steps can be followed on Etherscan

The Origin team has stated that it will be investigating the incident in the coming days. They have also confirmed their plans to recover the funds and compensate affected OUSD holders.

A statement on Origin’s Medium blog reads as follows: 

“We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders. As a reminder, please do not buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.”

Origin has also sent thanks to the wider DeFi community for their help in dealing with the fallout from the incident, as well as a plea to the attacker. “We humbly ask you to consider the hundreds of innocent people you are hurting and return the funds,” they said. 

Since the attack, several users have sent on-chain messages to the perpetrator asking them to return some of the takings. One message read:

“Hi! Great job on your successful flash loan arbitrage. This is a long shot, but I lost ~$1k due to it, and I figure no harm in asking if you could please send me some $$ to reduce my loss?
Would mean a lot to me and my student loans. Although you’re under no obligation to do so.
Thank you.”

The victim’s message is available to view on Etherscan.

The attacker’s address also shows that they have converted some funds to RenBTC over the last few hours. They also moved hundreds of ETH through Tornado.cash, a tool that helps users preserve anonymity on the Ethereum network.

Of course, Origin’s attacker isn’t the only DeFi expert to successfully execute a flash loan and end up making off with millions of dollars.

Last night’s incident is only the latest example in a string of large-scale attacks following recent exploits on Harvest, CheeseBank, Akropolis, and Value DeFi. 

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: Read Full Article