Origin Protocol Emptied of $7 million in Yet Another Flash Loan Attack
Origin Protocol has suffered a major exploit, leading to a loss of around $7 million. The protocol was attacked using a flash loan and manipulation of the protocol’s rebase system.
- Origin Protocol suffered a flash loan attack last night, leading to losses of $7 million.
- The Origin Protocol team has announced its plans to compensate affected users. An investigation into the incident is ongoing.
- Attack is the latest in a string of multi-million dollar losses resulting from flash loan exploits.
Share this article
Origin Protocol has been drained of $7 million. The incident occurred late last night as part of a sophisticated attack involving a 70,000 ETH flash loan.
Origin’s co-founder Matthew Liu took to Twitter to share details of the attack, urging users to avoid buying or minting OUSD. OUSD is Origin’s native token. It is a stablecoin roughly pegged to the U.S. dollar, and it’s designed to provide yield to its holders.
But following last night’s attack, the token’s value plummeted 85% to around $0.14. The sudden price drop has left anyone with significant OUSD holdings facing substantial losses.
Origin Protocol has posted an initial synopsis of the incident.
After borrowing over $32 million worth of ETH, the attacker took advantage of a reentrancy bug in Origin’s contract. They successfully executed a rebase event to increase the supply of OUSD before swapping their takings on Uniswap and Sushiswap.
A rebase event is essentially a process in which an asset’s reserves are increased. It’s an innovation that’s been embraced in DeFi recently, though not always with positive results. In August, Yam Finance memorably suffered a catastrophe partly as a result of its rebasing mechanism.
The attacker’s steps can be followed on Etherscan.
The Origin team has stated that it will be investigating the incident in the coming days. They have also confirmed their plans to recover the funds and compensate affected OUSD holders.
A statement on Origin’s Medium blog reads as follows:
“We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders. As a reminder, please do not buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.”
Origin has also sent thanks to the wider DeFi community for their help in dealing with the fallout from the incident, as well as a plea to the attacker. “We humbly ask you to consider the hundreds of innocent people you are hurting and return the funds,” they said.
Since the attack, several users have sent on-chain messages to the perpetrator asking them to return some of the takings. One message read:
“Hi! Great job on your successful flash loan arbitrage. This is a long shot, but I lost ~$1k due to it, and I figure no harm in asking if you could please send me some $$ to reduce my loss?
Would mean a lot to me and my student loans. Although you’re under no obligation to do so.
The victim’s message is available to view on Etherscan.
The attacker’s address also shows that they have converted some funds to RenBTC over the last few hours. They also moved hundreds of ETH through Tornado.cash, a tool that helps users preserve anonymity on the Ethereum network.
Of course, Origin’s attacker isn’t the only DeFi expert to successfully execute a flash loan and end up making off with millions of dollars.