$7 700 000 USD

NOVEMBER 2020

GLOBAL

ORIGIN PROTOCOL

DESCRIPTION OF EVENTS

"Origin Protocol is bringing NFTs and DeFi to the masses." "Origin Protocol is a network that allows market participants to share goods and services through peer-to-peer (P2P) networks. The platform aims to create an extensive online marketplace leveraging the Ethereum (ETH) blockchain and Interplanetary File System (IPFS) in order to eliminate the need for middlemen."

 

"Blockchain-based e-commerce platform, Origin Protocol confirmed that its stablecoin, Origin Dollar (OUSD) has been hacked for around $7 million in Ethereum and DAI. The company launched OUSD in September this year." "The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us." "Instead of using a second, valid stablecoin, the attacker used the address of the malicious contract itself. Our contract failed to detect that this was not one of our three supported stablecoins."

 

"[T]he attacker “used both Tornado Cash and Renbtc to wash and move funds.” According to Liu, there is “still 7,137 ETH and 2.249M DAI sitting in one of the attacker’s wallets.”" "We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders."

 

"We are continuing to work to try and recover the funds. If you are still providing liquidity on Sushiswap, we advise that you should remove your funds as soon as possible. We also strongly advise that you do not attempt to buy or sell OUSD at this time." "Despite this setback, it is very much in our intention to make OUSD a safe, secure, and successful product that builds on the broader Origin mission of peer-to-peer commerce." "Origin announced a $1 million bounty reward for anyone who can bring the hacker responsible for destabilizing its stablecoin to justice." “We are offering a bounty of $1,000,000 USD to anyone that supplies substantial information or evidence leading to the return of customer funds.” "Kay Yoo, who heads up Business Operations and Strategy at Origin, elaborated over email. “We do not care if the hacker returns company funds or the personal investments of our founders,” she told Decrypt. “Our highest priority right now is to recover customer funds.”"

 

"Origin Protocol has relaunched its OUSD token following a flash loan exploit that caused havoc for the project in November. The new token has received several audits and security improvements to prevent future attacks." "He went on to say that the team has carried out “rigorous internal auditing” as well as new code reviews. The project will also run additional audits as the product is upgraded."

 

"Approximately two-thirds of affected users will receive full compensation in the form of newly minted OUSD (fully backed by stablecoins, audited, and relaunched with new security measures in place). The remaining affected users — mostly larger depositors — will receive 25% of their compensation in OUSD upfront and 75% of their compensation in Origin Tokens (OGN) that are locked for one year. To further compensate these users for the time value of money and not having all their funds available upfront, locked OGN will earn interest at 25% over the year. This means that for the OGN portion of compensation, users will receive 1.25x the value in OGN one year after the compensation program goes live in the upcoming weeks."

The origin protocol smart contract failed to check that one of the inputs into a function was a valid stablecoin. As a result, the hacker was able to create additional coins in the protocol and remove funds.

 

Origin Protocol came out with an ambitious plan to reimburse their affected users over time.

HOW COULD THIS HAVE BEEN PREVENTED?

It goes without saying that the decentralized finance space is still new and emerging.

 

At the moment, it makes sense to consider that each smart contract is effectively a hot wallet - because funds are live to be taken through a single exploit.

 

Better security can be achieved through offline storage of funds in a multi-signature wallet.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.