The attack was due to a reentrancy bug. The blog stated,
“Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us. The attacker exploited a missing validation check… to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint.”
The user who siphoned these funds from Origin Protocol started with dYdX, another popular defi platform that has suffered multiple flash loan attacks in the past. Starting by borrowing 70,000 ETH from dYdX, the user weaved his web through multiple platforms like Compound, Aave, Uniswap, etc., and managed to retrieve $5.5 million in ETH and $2.2 million in Dai.
The co-founder of Origin Protocol asked the users to not buy or mint OUSD;
“Unfortunately OUSD was hacked 2 hours ago and there has been a loss of funds. The Origin Protocol team is all-hands on deck working on resolving this issue.”
In an updated blog, the Origin Protocol team stated that they were tracing the funds and that the,
“… attacker used both Tornado Cash and renBTC to wash and move funds… Currently, there is still 7,137 ETH and 2.249M DAI sitting in one of the attacker’s wallets.”
This isn’t the first flash loan attack, in fact, this is the second one in the last 30 days – Value DeFi, another project suffered an attack that cost it $6 million. Other hacks include Harvest Finance, where the attacker made away with $2.5 million in crypto.
While defi hacks aren’t uncommon they have become frequent since the introduction of yield farming, pools, AMM, etc. The defi summer hype allowed a lot of people to make money, however, so did the people who were smart enough to find buggy code or smart contract.
Buggy smart contracts are what plague this budding field of defi and is also what’s preventing investors from going all-in. Due to its fairly smaller lifespan, it poses a high risk which is unappealing even with the high rewards.
Hence, be careful when dealing with new farming platforms with attractive ROIs and unaudited code.