Origin Dollar exploited for $3.25 million using flash loan exploit

Reports are coming in that Origin Dollar (OUSD) exploited for $2.25 million in DAI and $1 million in Ethereum.

Origin dollar hack

Flash loan attacker / exploiter is already washing the funds via RenBTC. This is the fifth flash loan attack of the past three weeks alone.

Harvest, Akropolis, Value, and CheeseBank were all hit for millions in stables.

OMG Altcoin thinks the amount stolen is a lot higher than the ~$3.5 million as we first thought. We misread the attack transactions.

Funds stolen so far:
– $2.25m in DAI
– $3.3m in ETH
– $1.9m in ETH->RenBTC

This might have something to do with the rebase mechanism:

The attacker obtained 28,000,000 OUSD by depositing a combination of USDT and DAI, though somehow exited with 33,270,000 OUSD and then some. The remaining OUSD was subsequently withdrawn and liquidated into DAI and Ethereum.

The attack transactions are inherently convoluted because part of the attack required deposits into the OUSD Vault. When depositing stables into OUSD, the funds are automatically put into the yield-bearing strategies.

Might have something to do with this as well.

Upon further analysis, it might have been a reentrancy attack that exploited the way in which OUSD rebases.

OUSD rebases continuously as users interact with Origin contracts.

In simple terms, a re-entrancy attack is basically like paying someone with a cheque that will bounce.

Forgot to mention, I believe I saw a tx where the attacker returned ~536,000 OUSD to a smart contract address or the Origin deployer.

Technically, that OUSD can’t be redeemed for anything but it does have a bit of value on the secondary market – SushiSwap and Uniswap.

Messages are starting to be sent to the Origin attacker, where $5.5 million remains.

One user said they lost $1,000, which they said came from their student loans.

Another claimed to have lost 0.5 ETH trying to trade the crash.

On-chain communication with an attacker was recently popularized with the Value exploit, though it’s existed for all of the major hacks as of late.

I remember DForce initially negotiating the return of $25 million hacked via embedded messages.