The Origin Dollar (OUSD) project has lost $7 million in a flash loan attack, the team announced in a blog post published on Nov 17.
- The attacker exploited a reentrancy bug in the protocol’s smart contracts, which took place in the middle of a mint; effectively, the supply of the tokens had been artificially increased and had been cashed in
- The end result was that the attacker received more OUSD than the contract had assets, which he withdrew to a wallet
- The attacker then used Tornado Cash and renBTC to wash and move the funds
- The team is working on compensating victims as it attempts to recover the funds, and has told the hacker that a security position would be offered if he returned all of the funds
- OUSD joins several other projects in falling victim to a flash loan attack, which has become a popular means by which attackers exploit DeFi smart contracts
- Harvest Finance has been the biggest victim in recent weeks, losing $24 million in Oct. 26 in an attack similar to the OUSD incident
- DeFi protocols Value and Akropolis have also suffered flash loan attacks in Nov. 2020, losing $6 million and $2 million respectively