Malicious actors are increasingly leveraging flash loans to fund attacks on decentralized finance [DeFi] protocols. Another one is biting the dust. This time, the Origin Protocol’s yield-generating stablecoin protocol, OUSD, was attacked and drained by nearly $7 million, of which $1 million was deposited by the company’s founders and employees.
After tracing the movement of the funds, the Founder of Origin Protocol Matthew Liu revealed that the attacker used both Tornado Cash and renBTC to wash and move funds. Additionally, there was still 7,137 ETH and 2.249 million DAI sitting in one of the attacker’s wallets.
Nature of the Attack
The exec explained,
“The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us.”
Reentrancy attacks are known to be the most devastating attacks when developing smart contracts. They are devastating for two reasons: they can completely drain a smart contract of its funds, and they can sneak their way into the code if the developers are not careful.
In the case of OUSD, the entity reportedly exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault. This essentially allowed the attacker to exploit the contract with a “reentrancy attack” in the middle of the mint.
As a response to the attack, Liu reminded the users not to buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.
Here’s what prominent DeFi influencer Autism Capital had to say about the entire fiasco:
Of late, flash loans have become one of the most popular as well as powerful new liquidity mechanisms that have recently emerged in the decentralized finance [DeFi] ecosystem.
Origin’s breach is the fifth major flash loan attack to hit the DeFi ecosystem in the past three weeks, after security breaches targeting platforms such as Harvest, Akropolis, Value, and CheeseBank. Additionally, it is the tenth DeFi platform to have been exploited in terms of year to date.