Origin Protocol Hacked for $7 Million

Reading Time: 2 minutes
  • Origin Protocol has been hacked and $7 million worth of OUSD tokens taken
  • The hacker used a reentry attack and used the platform’s own token against them
  • CEO Matthew Liu promised to refrain from legal action if the hacker returns all the funds

Origin Protocol, the decentralized marketplace protocol, has been hacked with $7 million worth of OUSD tokens stolen, including user funds. The alarm was raised a matter of hours ago, with Origin Protocol since establishing the modus operandi of the attacker and asking them to return the funds, which took the form of the platform’s own OUSD tokens, with user funds representing the bulk of the 7 million stolen.

Origin Protocol Denies “Rug Pull”

In a Medium post outlining the hack, Origin Protocol CEO Matthew Liu was able to point to the specific transaction that seems to have been at the heart of the hack and the wallet where the funds have ended up, following their conversion to other tokens.

The loss of funds has been calculated at 7 million OUSD tokens, including over 1 million from employees, with each token being the equivalent of a dollar. Liu was quick to stress that the team was not “going away” and that this was not a “rug pull or internal scam”, with the fact that the project has been running since 2017 testament to these claims.

A later update to the Medium article stated that the Origin Protocol team had “made progress understanding the hack” and was “working on measures” to try and recoup the funds, including working with cryptocurrency exchanges to blacklist the wallet addresses concerned from easily cashing out the stolen tokens.

Liu Appeals to Hacker’s Better Nature

Liu stated that the attacker used the popular Tornado Cash mixer to obscure some of the funds, although there is still some $5.6 million worth of ETH and DAI tokens in the hacker’s wallet. Liu also identified the method of the hack, saying that it was due to a “reentrancy bug in our contract”, the same kind of attack that hit imBTC in April. This hack was only possible, Liu added, because the smart contract was attacked by one of the stablecoins supported by Origin Protocol, a weakness the hacker identified.

Liu then addressed the hacker directly, promising a job opportunity with Origin Protocol and no legal action if they returned the coins:

To the hacker: We ask that you do the right thing and return the funds. You’ve demonstrated your superior skills as a hacker, and we’d happily hire you as a security consultant. If you return 100% the funds, we promise not to pursue you or any legal action against you. We humbly ask you to consider the hundreds of innocent people you are hurting and return the funds.

Now that would make for a VERY uncomfortable first day in the office…