DeFi project Origin Protocol exploited for $7.7 million

Another day, another DeFi exploit. Early this morning, DeFi project Origin Protocol was exploited for roughly $7.7 million. The attacker stole an estimated 11,804 ETH and 2,249,821 DAI after taking out a flash-loan and taking advantage of a flaw in the Origin Protocol code. This is the third DeFi exploit in the last seven days that happened by way of a flash-loan attack.

How it happened

The attacker was able to inflate the supply of the Origin Protocol stablecoin (OUSD) and swapped the OUSD they artificially minted through the DeFi platforms Uniswap and SushiSwap in exchange for USDT which they subsequently swapped for 11,804 Ethereum and 2,249,821 DAI.

Afterward, the attacker began to launder their stolen funds, sending 333 ETH through the Ethereum mixing service Tornado Cash and swapping 4338 ETH for WBTC on Uniswap. 

You can find the full technical details regarding how the Origin Protocol exploit happened in Origin Protocol’s official announcement

A few trends in DeFi attacks

A pattern is beginning to form in regard to the DeFi attacks taking place; in each attack that has happened within the last 7 days–Akropolis exploit, Value DeFi exploit, and now the Origin Protocol exploit–the attacker has used a flash-loan attack to take advantage of flaws in the project’s code that lead to the attacker getting coins and tokens at prices which are beneficial to them, or the attacker being able to artificially mint more coins and tokens that they subsequently swap for another digital currency.

Most of these attacks are possible because many DeFi smart contracts rely on external smart contracts when it comes to pulling data such as prices. Even the DeFi projects that have been audited have proven to be susceptible to a flash-loan attack. 

What’s also interesting–and honestly kind of funny–is that in each DeFi attack that has taken place, the project’s founding team asks the attacker to “please give the money back.” I guess pleading with the attacker is worth a shot, but it is highly unlikely that the attacker will return the stolen funds. 

As usual, it is never a bad time to remind our audience that when it comes to DeFi, you must proceed with caution. This week alone there have been three separate DeFi attacks, and the flash-loan attack vector is becoming very popular amongst attackers. The only way to stay dry at a time when DeFi related crime is on the rise is to stay out of the DeFi sector. 

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.