Origin Protocol Hack

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Origin Protocol

The origin protocol smart contract failed to check that one of the inputs into a function was a valid stablecoin. As a result, the hacker was able to create additional coins in the protocol and remove funds.

Origin Protocol came out with an ambitious plan to reimburse their affected users over time.

This is a global/international case not involving a specific country.^[1]^[2]^[3]^[4]^[5]^[6]^[7]^[8]^[9]^[10]^[11]^[12]^[13]^[14]^[15]^[16]^[17]^[18]^[19]

About Origin Protocol

"Origin Protocol is bringing NFTs and DeFi to the masses." "Origin Protocol is a network that allows market participants to share goods and services through peer-to-peer (P2P) networks. The platform aims to create an extensive online marketplace leveraging the Ethereum (ETH) blockchain and Interplanetary File System (IPFS) in order to eliminate the need for middlemen."

"Blockchain-based e-commerce platform, Origin Protocol confirmed that its stablecoin, Origin Dollar (OUSD) has been hacked for around $7 million in Ethereum and DAI. The company launched OUSD in September this year." "The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us." "Instead of using a second, valid stablecoin, the attacker used the address of the malicious contract itself. Our contract failed to detect that this was not one of our three supported stablecoins."

"[T]he attacker “used both Tornado Cash and Renbtc to wash and move funds.” According to Liu, there is “still 7,137 ETH and 2.249M DAI sitting in one of the attacker’s wallets.”" "We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders."

"We are continuing to work to try and recover the funds. If you are still providing liquidity on Sushiswap, we advise that you should remove your funds as soon as possible. We also strongly advise that you do not attempt to buy or sell OUSD at this time." "Despite this setback, it is very much in our intention to make OUSD a safe, secure, and successful product that builds on the broader Origin mission of peer-to-peer commerce." "Origin announced a $1 million bounty reward for anyone who can bring the hacker responsible for destabilizing its stablecoin to justice." “We are offering a bounty of $1,000,000 USD to anyone that supplies substantial information or evidence leading to the return of customer funds.” "Kay Yoo, who heads up Business Operations and Strategy at Origin, elaborated over email. “We do not care if the hacker returns company funds or the personal investments of our founders,” she told Decrypt. “Our highest priority right now is to recover customer funds.”"

"Origin Protocol has relaunched its OUSD token following a flash loan exploit that caused havoc for the project in November. The new token has received several audits and security improvements to prevent future attacks." "He went on to say that the team has carried out “rigorous internal auditing” as well as new code reviews. The project will also run additional audits as the product is upgraded."

"Approximately two-thirds of affected users will receive full compensation in the form of newly minted OUSD (fully backed by stablecoins, audited, and relaunched with new security measures in place). The remaining affected users — mostly larger depositors — will receive 25% of their compensation in OUSD upfront and 75% of their compensation in Origin Tokens (OGN) that are locked for one year. To further compensate these users for the time value of money and not having all their funds available upfront, locked OGN will earn interest at 25% over the year. This means that for the OGN portion of compensation, users will receive 1.25x the value in OGN one year after the compensation program goes live in the upcoming weeks."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Origin Protocol Hack
Date	Event	Description
November 17th, 2020	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $7,700,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

It goes without saying that the decentralized finance space is still new and emerging.

At the moment, it makes sense to consider that each smart contract is effectively a hot wallet - because funds are live to be taken through a single exploit.

Better security can be achieved through offline storage of funds in a multi-signature wallet.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

↑ Origin Defi Protocol Suffers Massive Flash Loan Attack- OUSD Stablecoin Value Plunges 85% – Altcoins Bitcoin News (May 13, 2021)
↑ Rekt - Leaderboard (May 13, 2021)
↑ Rekt - Hack Epidemic (Origin Protocol - REKT) (May 16, 2021)
↑ Urgent: OUSD Has Been Hacked And There Has Been a Loss of Funds (May 16, 2021)
↑ Origin Dollar OUSD Detailed Compensation Plan (May 16, 2021)
↑ Origin Protocol Confirms $7 Million Hack | Finance Magnates (May 16, 2021)
↑ @originprotocol Twitter (May 16, 2021)
↑ Origin Protocol Relaunches Stablecoin Following Hack | Crypto Briefing (May 16, 2021)
↑ Flash Loan Attack: Origin Protocol Unveils Compensation Plan that Excludes Founders – Altcoins Bitcoin News (May 16, 2021)
↑ Origin Protocol Puts $1 Million Bounty on Hacker As OUSD Stablecoin Loses Stability | Blockchain News (May 16, 2021)
↑ Origin DeFi Protocol Loses $7 Million to Hacker in Security Breach | Blockchain News (May 16, 2021)
↑ Origin Protocol Hacked For $7 Million - CryptoTicker (May 16, 2021)
↑ Ethereum-based Origin Puts $1 Million Bounty on OUSD Hacker - Decrypt (May 16, 2021)
↑ Origin Protocol – Medium (May 16, 2021)
↑ Origin Protocol price today, OGN live marketcap, chart, and info | CoinMarketCap (May 16, 2021)
↑ Origin Dollar cryptocurrency hacked to the tune of $7m less than two months after launch | The Daily Swig (May 24, 2021)
↑ CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
↑ Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23, 2021)

[newsdotbitcoin-597-1] Origin Defi Protocol Suffers Massive Flash Loan Attack- OUSD Stablecoin Value Plunges 85% – Altcoins Bitcoin News (May 13, 2021)

[rekt-513-2] Rekt - Leaderboard (May 13, 2021)

[rekt-598-3] Rekt - Hack Epidemic (Origin Protocol - REKT) (May 16, 2021)

[originprotocolmedium-599-4] Urgent: OUSD Has Been Hacked And There Has Been a Loss of Funds (May 16, 2021)

[originprotocolmedium-600-5] Origin Dollar OUSD Detailed Compensation Plan (May 16, 2021)

[financemagnates-601-6] Origin Protocol Confirms $7 Million Hack | Finance Magnates (May 16, 2021)

[originprotocoltwitter-602-7] @originprotocol Twitter (May 16, 2021)

[cryptobriefing-603-8] Origin Protocol Relaunches Stablecoin Following Hack | Crypto Briefing (May 16, 2021)

[newsdotbitcoin-604-9] Flash Loan Attack: Origin Protocol Unveils Compensation Plan that Excludes Founders – Altcoins Bitcoin News (May 16, 2021)

[blockchain-605-10] Origin Protocol Puts $1 Million Bounty on Hacker As OUSD Stablecoin Loses Stability | Blockchain News (May 16, 2021)

[blockchain-606-11] Origin DeFi Protocol Loses $7 Million to Hacker in Security Breach | Blockchain News (May 16, 2021)

[cryptoticker-607-12] Origin Protocol Hacked For $7 Million - CryptoTicker (May 16, 2021)

[decrypt-608-13] Ethereum-based Origin Puts $1 Million Bounty on OUSD Hacker - Decrypt (May 16, 2021)

[originprotocolmedium-609-14] Origin Protocol – Medium (May 16, 2021)

[coinmarketcap-610-15] Origin Protocol price today, OGN live marketcap, chart, and info | CoinMarketCap (May 16, 2021)

[portswigger-842-16] Origin Dollar cryptocurrency hacked to the tune of $7m less than two months after launch | The Daily Swig (May 24, 2021)

[ciphertrace-1152-17] CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)

[slowmisthacked-678-18] SlowMist Hacked - SlowMist Zone (May 18, 2021)

[certik-1776-19] Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23, 2021)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

Origin Protocol Hack

Contents

About Origin Protocol

The Reality

What Happened

Technical Details

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

General Prevention Policies

Individual Prevention Policies

Platform Prevention Policies

Regulatory Prevention Policies

References

Navigation menu

Origin Protocol Hack

About Origin Protocol

The Reality

What Happened

Technical Details

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

General Prevention Policies

Individual Prevention Policies

Platform Prevention Policies

Regulatory Prevention Policies

References

Navigation menu

Search