No one is safe: Ethereum DeFi protocol by PayPal co-founder exploited for $7.5m
No one is safe from the ever-growing wave of decentralized finance (DeFi) exploits, not even prominent technologists and investors.
Today, an up-and-coming DeFi protocol built on Ethereum by prominent Silicon Valley developers such as Yu Pan, a founding member of PayPal and the earliest Youtube employee, was attacked with a flash loan.
This is the fifth flash loan attack of the past three weeks, making it clear that this is an issue that all Ethereum users should be aware of.
OriginUSD hacked for $7.5 million in ETH and DAI
On Monday evening, a suspicious transaction was spotted by many users on Twitter. At first, few knew what had happened: this unknown user had withdrawn 70,000 ETH from dYdX, an Ethereum decentralized exchange, as a flash loan, then used those funds to withdraw millions in stablecoins.
Some thought it was a normal arbitrage, but I suggested it was a flash loan exploit on a yield aggregator protocol.
The reason why I thought so was that the account affiliated with this suspicious transaction had sent millions worth of DAI and Ethereum from the flash loan transaction to his own address, implying that he made a profit. It was also clear that the transaction involved Origin USD (OUSD), a meta-stablecoin that natively yields interest to holders.
Another one bites the dust: Origin Dollar (OUSD) exploited for $2.25m in DAI and $1m in Ethereum.
Flash loan attacker/exploiter is already washing the funds via RenBTC. pic.twitter.com/3VouT7AiJe
— Nick C. (@n2ckchong) November 17, 2020
In all $7.5 million worth of funds were taken from the protocol, which was all the funds in the Origin pool at the time. The attacker immediately began to try and wash the funds, withdrawing $2 million worth of RenBTC into Bitcoin proper, then converting the censorable stablecoins into ETH and DAI.
This attack wasn’t fully confirmed by the team until hours later, when Origin’s co-founders shared the following blog online:
According to them, what had happened was a “reentrancy bug.” A reentrancy bug is an infamous type of Ethereum smart contract exploit that basically allows someone to pretend they deposited a coin without actually depositing that coin. In basic terms, it’s like double-spending BTC.
The bug allowed the attacker to mint a large number of OUSD tokens without them having the stablecoins to back them. This allowed them to subsequently withdraw more coins in the pool than those they deposited.
Update on what's happening with the $OUSD hack. The entire @OriginProtocol team is hard at work attempting to recover funds and identify the attacker. We will make this right. We appreciate your patience and support in these trying times. Thank you.https://t.co/D4qTwvFzNm
— Matthew Liu (@matthewliu) November 17, 2020
The Origin team will be working nonstop to try and make affected users whole:
“We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders.”
What makes this notable is that this is the fifth flash loan attack of the past three weeks.
We covered many of these attacks, including the one that took place just last week on Akropolis, and another that took place this weekend on Value DeFi.