Project leads say legal action will not be taken against the culprit if they return the stolen funds
Origin Protocol is scrambling to recover $7 million worth of stolen Origin Dollar (OUSD) after the recently launched ‘stablecoin’ project was hacked.
The San Francisco-based blockchain company disabled deposits to the vault after detecting a so-called re-entrancy attack that took place this morning (November 17).
Origin co-founder Matthew Liu, who tweeted news of the attack two hours after it took place, said the pilfered funds included $1 million “deposited by Origin and our founders and employees”.
The project’s native token has shed 85.3% of its value in the past 24 hours, according to CoinGecko.
OUSD was launched in late September with the promise of generating yields while funds sit passively in wallets.
Stablecoins are pegged to cryptocurrencies, fiat money, or exchange-traded commodities to minimize price volatility.
‘Tracking the flow’
Around four hours after the attack took place, Liu’s fellow Origin co-founder, Josh Fraser, said the company had “made progress understanding the attack and tracking the flow of funds from the OUSD vault to the attackers’ wallets”, and were “actively working on measures in an attempt to recoup the funds”.
He added: “This includes working with exchanges and other third-parties to potentially identify the attacker and/or freeze funds from being liquidated.”
Liu said a “compensation plan” for affected OUSD holders would also be discussed.
Users have been urged not to buy OUSD, “as the current prices do not reflect OUSD’s underlying assets”, and to remove funds from liquidity pools.
Liu promised that Origin would not pursue legal action against the culprit “if they returned the stolen funds”.
‘Missing validation check’
Fraser said the stolen funds, which had been washed using Tornado Cash and renBTC, had been traced to an Ethereum wallet containing 7,137 ETH and 2.249 million DAI.
Discussing the hack, the Origin co-founder said the attackers capitalized on a missing validation check to pass in a fake stablecoin, which “was then called ‘transferFrom’... by the vault.
This apparently allowing the hacker to exploit the contract with a re-entrancy attack “in the middle of the mint”.
The attacker withdrew funds after inflating them with a “rebase event” that gave them “more OUSD than the contract had assets”, said Fraser.
Liu offered his “sincerest and deepest apologies” to OUSD users and reassured them that “this is not a rug pull or internal scam”.
He added: “This is a quickly moving process, and our entire team has been mobilized to tackle this crisis.”
Liu said further updates would be posted to Origin’s blog, Telegram, Twitter, and Discord accounts.
Cryptocurrency platforms are a frequent and frequently lucrative target for financially-motivated cybercrooks.
The OUSD hack follows a similar re-entrance attack mounted only a few days ago against blockchain-powered pension fund Akropolis, which saw the offenders make off with $2 million worth of DAI.
In more positive news for the market, cryptocurrency exchange Binance last week awarded $200,000 to the investigative team that unmasked the cybercriminals behind a 2018 phishing attack and the subsequent theft of its users’ login credentials.
The Daily Swig has contacted Origin for further comment and will update this article if and when we receive a response.