Urgent: OUSD Was Hacked and There Has Been a Loss of Funds
OUSD has been hacked, and there has been a loss of user funds. We are actively investigating the issue. We are committed to making things right. Please refer to this blog post as the authoritative source for continual updates over the course of the next few days.
Updated at 1:00AM UTC 12.12.2020 (Matthew Liu)
We have now published our compensation plan in full detail. If you are an affected user, please refer to that post.
Updated at 10:26AM UTC 11.25.2020 (Josh Fraser)
We want to share a rough timeline on when to expect full details regarding the compensation plan for the OUSD hack. Our current estimate is that it will take about 2 weeks to have a plan ready to share. It may take longer, but we hope to get it done faster. In approximately 2 weeks, we expect to be able to share our proposal for when and how affected parties will be reimbursed. The actual reimbursement will then happen at a later time. There are a lot of varying situations that we are trying to understand, so that we can structure a proposal that is fair to everyone. For example, we are collecting and analyzing data to understand how many people fall into each of the following categories:
- Users that have held OUSD in their wallets since the attack
- Liquidity providers on SushiSwap, Uniswap, or Mooniswap
- SnowSwap stakers
- Virgox users
- Traders who sold or bought OUSD, despite being repeatedly told not to
We understand that people are anxious to know how compensation will work and whether they will be eligible. We will be sharing our proposal for community feedback. We want to make sure we are thinking through all of the scenarios and designing a plan that is fair to everyone while moving as quickly as possible.
In addition, we will be sharing updates less frequently as we move into this next phase. Even if we aren’t able to share all the details publicly, know that there is still a lot of progress being made behind the scenes. Our team continues to be focused on recovering funds, collecting and analyzing data, structuring the compensation plan, fixing the security issues with OUSD, and getting OUSD ready for re-launch. Thank you for your patience and support during this time.
Updated at 4:45PM UTC 11.20.2020 (Matthew Liu)
We wanted to update the community on our user compensation scenario. While we are confident that there is a path to recovering the capital that was lost, we have begun contingency planning in parallel. Regardless of whether we are able to recover user funds from the attacker, we are committed to doing right by our users.
Over one or more payment installments, the company intends to provide compensation equal to 100% of the value deposited to OUSD by OUSD holders at the time of the exploit. The payment methods, mechanics, and timing are still being structured, so we will need additional time to release the finalized compensation program specifics.
We have begun engineering efforts to reconstruct the state of OUSD balances in user wallets and liquidity pools (e.g. AMMs) at the time of the attack and shortly thereafter. This data capture and analysis will be ongoing, and we plan to offer transparent snapshots once this work has been completed.
We ask that you remain patient with us as we continue working through the data in the next couple of weeks. Completing this work is a prerequisite to launching our full compensation plan.
Importantly, we are not intending to mint or sell any OGN to fund the compensation plan. We also want to assure our OGN token holders that we will still be in a financially sound position to continue operating the Origin Platform (e.g. Dshop, new commerce products, and the next version of OUSD) even if we have to resort to the contingency plan.
Just as importantly, we want to reiterate that we are committed to making OUSD a successful product. We will make sure our users are made whole and plan to aggressively continue building out the product and accompanying ecosystem. We will also be upgrading our smart contracts and engaging in additional audits before re-launching OUSD. Despite being launched less than two months ago, OUSD has quickly demonstrated signs of product-market fit. In the two days prior to the hack, OUSD circulating supply had more than tripled while returning APYs at 50+%. We believe OUSD will be one of the foundational products in DeFi and peer-to-peer commerce over time. OUSD will accrue tremendous value to OGN holders through governance privileges and potential fees. As a team and community, we will overcome this setback and take OUSD and OGN to new levels in the near future.
Updated at 7:47am UTC 11.19.2020 (Josh Fraser)
We are offering a bounty of $1,000,000 USD to anyone that supplies substantial information or evidence leading to the return of customer funds. Payouts (if multiple individuals are involved) will be weighted by their relative contributions. If you have any information that may help us identify the attacker or recover the lost funds, please contact security@originprotocol.com immediately. Any bounties will be granted at the full discretion of Origin Protocol.
To the hacker, we believe you’ve made your point to us and our community. Developers deploying untested contracts before essential security audits have been completed need to be more comprehensive and diligent when developing their products. Users hoping to make profits need to be more patient and take responsibility for their investment decisions to avoid being rekt. As the developers of the OUSD smart contracts, we do not care if you return company funds or the personal investments of our founders. We believe you demonstrated superior knowledge in identifying vulnerabilities in our work. We ask that you act in a white hat manner and return all funds from OUSD users. The total amount of deposits excluding our founders and company funds is $6,159,000.00. If you do this, we will immediately stop all efforts to identify you or pursue legal action.
Remember that you are taking from those that have less. If you examine the wallet addresses that held OUSD, you will realize that many of our users are not degens or whales. Many OUSD users are new to DeFi and their losses can be life-altering in highly negative ways. We understand your desire to draw attention to smart contract vulnerabilities and teach developers the hard but necessary lesson for developing safe, secure, and battle-tested DeFi protocols. Keep Origin’s funds, but don’t punish our users, many of whom were new to crypto.
Recovering customer funds remains our single highest priority. We will exhaust all avenues to achieve this goal.
Updated at 10:15 PM UTC 11.17.2020 (Kay Yoo)
We are currently focused on gathering data with the aim of recovering funds for our OUSD holders. We will continue to provide frequent updates with our findings. Please stay tuned.
Updated at 10:38 AM UTC 11.17.2020 (Micah Alcorn)
As promised in an earlier update, we wanted to provide a detailed walk-through of the attack on the OUSD vault that happened earlier today. We’ll follow up with a full post-mortem in the coming days to explore a variety of ways to prevent future attacks. For now, we want to quickly shed light on what happened.
We will also have an upcoming post discussing the latest on our efforts to recover funds as well as our worst-case scenario plans to compensate users if we’re unable to recoup user deposits.
The attack originated from 0xb77f7bbac3264ae7abc8aedf2ec5f4e7ca079f83, with a contract deployed at Nov-17–2020 12:40:56 AM +UTC. Here is a description of the transactions that were initiated by this contract:
1. The Flash Loan
70,000 ETH was borrowed from dYdX.
2. The Stablecoin Swaps
17,500 ETH was exchanged for 7,855,911.53 USDT on Uniswap.
52,500 ETH was exchanged for 20,987,772.08 DAI on Uniswap.
3. The Simple Mint
Our mint method, which allows the sender to use one type of stablecoin to mint OUSD, was called with 7,500,000 USDT.
7,500,000 USDT was transferred to the vault.
7,500,000 OUSD was minted and transferred to the attacker, as intended.
At this point, the attacker held a little over half of all OUSD in existence, and the vault had an equivalent amount of collateral to support a supply of roughly 14,518,200 OUSD.
4. The Reentrancy
Our mintMultiple method, which allows the sender to use more than one type of stablecoin to mint OUSD, was called with 20,500,000 DAI as the first stablecoin.
/**
* @dev Mint for multiple assets in the same call.
* @param _assets Addresses of assets being deposited
* @param _amounts Amount of each asset at the same index in the
* _assets to deposit.
*/
function mintMultiple(
address[] calldata _assets,
uint256[] calldata _amounts
) external whenNotDepositPaused {
...Instead of using a second, valid stablecoin, the attacker used the address of the malicious contract itself. Our contract failed to detect that this was not one of our three supported stablecoins.
20,500,000 DAI was transferred to the vault.
In an attempt to transfer the fake stablecoin, our contract called safeTransferFrom on the attacker’s contract. This function contained its own hidden call to mint using 2,000 USDT, which our contract did not anticipate.
...
for (uint256 i = 0; i < _assets.length; i++) {
IERC20 asset = IERC20(_assets[i]);
asset.safeTransferFrom(msg.sender, address(this), _amounts[i]);
}
...The 2,000 USDT mint triggered a rebase of the OUSD supply, which caused everyone’s OUSD balance to increase by a factor of approximately 2.41 (35,018,200 vault value / 14,518,200 OUSD supply). In other words, the contract thought that the additional 20,500,000 of value had come from earnings since no additional OUSD had actually been minted yet.
At this point, the attacker held approximately 18,090,156 OUSD when the vault value was 35,018,200.
2,000 USDT was transferred to the vault.
2,000 OUSD was minted and transferred to the attacker, causing the OUSD supply to increase to approximately 35,020,200.
20,500,000 OUSD was minted and transferred to the attacker, causing the OUSD supply to increase to 55,520,200 despite only having a value of 35,018,200.
...
oUSD.mint(msg.sender, priceAdjustedTotal);
...At this point, the attacker held 38,592,156 OUSD, which exceeded the value of the vault.
5. The Initial OUSD Swaps
300,000.00 OUSD was exchanged for 158,550.17 USDT on Uniswap.
1,000,000.00 OUSD was exchanged for 520,756.83 USDT on SushiSwap.
6. The First Redeem
19,557,311.44 DAI was withdrawn from the OUSD vault.
9,417,676.79 USDT was withdrawn from the OUSD vault.
3,931,953.44 USDC was withdrawn from the OUSD vault.
33,269,189.62 OUSD was burned (as intended).
7. The Reverse Stablecoin Swaps
10,450,895.33 USDT was exchanged for 22,898.58 ETH on Uniswap.
3,931,953.45 USDC was exchanged for 8,305.92 ETH on Uniswap.
19,045.083.52 DAI was exchanged for 47,976.52 ETH on Uniswap.
8. The Loan Repayment
70,000 ETH was returned to dYdX.
1,000,000 DAI was transferred to the attacker’s account (0xb77f7bbac3264ae7abc8aedf2ec5f4e7ca079f83).
1,138,449.12 OUSD was redeemed for a mix of stablecoins.
531,688.76 OUSD was redeemed for a mix of stablecoins
248,059.48 OUSD was redeemed for a mix of stablecoins.
543,305.34 USDT and 226,832.53 USDC were converted to ETH on Uniswap and transferred to the attacker’s account (0xb77f7bbac3264ae7abc8aedf2ec5f4e7ca079f83) along with 1,128,244.36 DAI.
115,732.21 OUSD was redeemed for a mix of stablecoins.
53,994.89 OUSD was redeemed for a mix of stablecoins.
300,000.00 OUSD was exchanged for 60,505.30 USDT on Uniswap.
1,000,000.00 OUSD was exchanged for 187,152.67 USDT on SushiSwap.
25,191.33 OUSD was redeemed for a mix of stablecoins.
300,000.00 OUSD was exchanged for 29,803.08 USDT on Uniswap.
1,000,000.00 OUSD was exchanged for 98,401.29 USDT on SushiSwap.
11,616.27 OUSD was redeemed for a mix of stablecoins.
434,407.95 USDT and 24,443.08 USDC were converted to ETH on Uniswap and transferred to the attacker’s account (0xb77f7bbac3264ae7abc8aedf2ec5f4e7ca079f83) along with 121,577.54 DAI.
498,487.66 OUSD was transferred back to the deployer of the OUSD contract (Origin Protocol).
As of the time of writing, the attacker is holding approximately $3,309,557 worth of ETH and 2,249,822 DAI after having laundered a substantial amount through Tornado.Cash, wBTC, and renBTC. We are watching the following BTC addresses and are asking exchanges to blacklist any transactions from these wallets:
- bc1q4f645352dsam42ag3uym8rt0qzxwd8qlqe336h (29.98549304 BTC)
- bc1qr0v3zz5wl0wjt79hj7yq57f3tkswj79jmjaynh (29.99143696 BTC)
- bc1q2atlthkh04hsnk76w08ek5stk28wxgzhh8xvnu (29.99254056 BTC)
- bc1qdky68q9uv24ah8mf8uykj8x437u2hlrz6k4vzg (29.99361353 BTC)
We will continue our efforts to recover these funds and appreciate any information that may help our cause.
Please contact us in our Discord or Telegram if you have any information that may help us identify the hacker and recover user funds.
Updated at 8:43 AM UTC 11.17.2020 (Josh Fraser)
We are continuing to work to try and recover the funds.
If you are still providing liquidity on Sushiswap, we advise that you should remove your funds as soon as possible.
We also strongly advise that you do not attempt to buy or sell OUSD at this time.
Updated at 5:15 AM UTC 11.17.2020 (Matthew Liu)
In the last three hours, we have made progress understanding the attack and tracking the flow of funds from the OUSD vault to the attackers’ wallets.
We are actively working on measures in an attempt to recoup the funds. This includes working with exchanges and other third-parties to potentially identify the attacker and/or freeze funds from being liquidated.
We have traced funds and know that the attacker used both Tornado Cash and renBTC to wash and move funds.
Currently, there is still 7,137 ETH and 2.249M DAI sitting in one of the attacker’s wallets.
Again, here is the transaction for the attack. Here is an early synopsis of the attack:
- The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us.
- The attacker exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault, allowing the hacker to exploit the contract with a reentrancy attack in the middle of the mint.
- The attacker was able to create a rebase event inside the second mint after funds had moved to OUSD from the first large mint, but before the supply of OUSD increased. This created a massive rebase for everyone in the contract, including the attacker. The attacker then also received their first large OUSD mint, giving them in total more OUSD than the contract had assets.
- The attacker withdrew most of the stablecoins from OUSD.
- They were then able to take extra OUSD after withdrawing and sell it on Uniswap and Sushiswap for USDT in subsequent transactions.
A more thorough transaction by transaction analysis will be forthcoming.
We will be taking exhaustive measures in the next few days in an attempt to recover lost user funds before discussing a compensation plan for affected OUSD holders. As a reminder, please do not buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.
To the hacker: We ask that you do the right thing and return the funds. You’ve demonstrated your superior skills as a hacker, and we’d happily hire you as a security consultant. If you return 100% the funds, we promise not to pursue you or any legal action against you. We humbly ask you to consider the hundreds of innocent people you are hurting and return the funds.
Lastly, we want to express our gratitude to the greater blockchain community. We’ve received an outpouring of support from our investors, DeFi engineers, security experts, etc. in these trying times. We’re very thankful to the groups that are helping us further analyze the attack, trace funds, and potentially identify the attacker. Thank you from our entire team.
Original post (Matthew Liu)
The Origin Dollar (OUSD) has been hacked. The team is all-hands on deck attempting to figure out what vulnerability was exploited and how the hacker was able to access users’ deposits. Expect an updated post within an hour.
This transaction seems to be the root of the attack:
https://etherscan.io/tx/0xe1c76241dda7c5fcf1988454c621142495640e708e3f8377982f55f8cf2a8401
At this time, there has been a loss of funds of around $7M, including over $1M of funds deposited by Origin and our founders and employees. We will be working tirelessly until we can determine the cause of the exploit and whether we will be able to recuperate these funds. We are very incentivized to give 1000% in resolving the issue in whatever way possible.
We have disabled deposits to the vault. Please do not buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.
This is a quickly moving process, and our entire team has been mobilized to tackle this crisis. We will be making frequent updates via our blog, Telegram, Twitter, and Discord. In times of crisis, it is important that we are fully transparent and accountable. We are ready to answer your questions.
At this time, we would like to extend our sincerest and deepest apologies to those early OUSD users that have deposited funds with us. We very much valued and appreciated your early bet on our new product, and we will work tirelessly to get to the bottom of this.
We are not going away. This is not a rug pull or internal scam. Despite this setback, it is very much in our intention to make OUSD a safe, secure, and successful product that builds on the broader Origin mission of peer-to-peer commerce. We are sorry for the events of today, and we will carry this burden forward to do better.
