Another one bites the dust: Origin Dollar (OUSD) exploited for $2.25m in DAI and $1m in Ethereum.
Flash loan attacker/exploiter is already washing the funds via RenBTC.
This is the fifth flash loan attack of the past three weeks alone.
Harvest, Akropolis, Value, and CheeseBank were all hit for millions in stables.
I believe he stole even more ETH than I first thought. Trying to figure it out.
Attack confirmed by core team member.
I think the amount stolen is a lot higher than the ~$3.5m as I first thought. I misread the attack txes.
Funds stolen (I think):
- $2.25m in DAI
- $3.3m in ETH
- $1.9m in ETH->RenBTC
This might have something to do with the rebase mechanism:
The attacker obtained 28,000,000 OUSD by depositing a combination of USDT and DAI, though somehow exited with 33,270,000 OUSD and then some. The remaining OUSD was subsequently withdrawn and liquidated into DAI and ETH.
The attack txes are inherently convoluted because part of the attack required deposits into the OUSD Vault. When depositing stables into OUSD, the funds are automatically put into the yield-bearing strategies.
Might have something to do with this as well.
Upon further analysis, it might have been a reentrancy attack that exploited the way in which OUSD rebases.
OUSD rebases continuously as users interact with Origin contracts.
In simple terms, a re-entrancy attack is basically like paying someone with a cheque that will bounce.
Forgot to mention, I believe I saw a tx where the attacker returned ~536,000 OUSD to a contract address or the Origin deployer.
Technically, that OUSD can't be redeemed for anything but it does have a bit of value on the secondary market (SushiSwap and Uniswap).
Messages are starting to be sent to the Origin attacker, where $5.5m remains.
One user said they lost $1,000, which they said came from their student loans.
Another claimed to have lost 0.5 ETH trying to trade the crash.
No dice... yet
On-chain communication with an attacker was recently popularized with the Value exploit, though it's existed for all of the major hacks as of late.
I remember DForce initially negotiating the return of $25m hacked via embedded messages.
Just saw the response from the Origin team. They are committed "to making things right" and have asked the attacker to return the funds.
They also gave a bit more context about the attack.
Bitcoin is resilient around $13k, Ethereum hit $420, and DeFi TVL is at an ATH at $12 billion.
As DeFi continues to grow, decentralized exchanges will remain pivotal.
Here’s a thread on the outlook of the AMM market (Uniswap, Balancer, Sushiswap, LinkSwap, DODO).
Before we get into it, a brief explainer of automated market makers.
AMMs are a type of decentralized exchange where users pool liquidity, then trade with the coins in the pool. AMMs price liquidity with a formula (often x * y = k), algorithmically matching purchases and sales.
AMMs are starting to overtake centralized exchanges.
Uniswap alone did more volume than Coinbase in September. AMM liquidity pools can sometimes be deeper than centralized exchanges, sans trading fees (see image #1).
AMM also enable-chain arbitrage, a massive market.
There's been a bunch of buzz about @barn_bridge over recent days. The project's stablecoin seed pool has $180m just 24 hours after its launch. This makes it one of the biggest Ethereum yield farms ever.
But what exactly is BarnBridge?
An ELI5 Thread - 👇
DeFi is currently disjointed and risky compared to TradFi.
Yields differ wildly (see below), there are no fixed yield products, there is no yield curve, crypto is high vol, etc.
Those are issues that "degens" can disregard. But big money, maybe not so much.
There's no doubt that capital is entering DeFi at a rapid clip. DeFi Pulse is reporting that TVL has reached $11 billion — a 1,000% gain in just over six months.
But the aforementioned inefficiencies are preventing the next wave of capital.
Whoever is farming @barn_bridge / (starting in 24 hrs), I made a spreadsheet with the annualized yields of the stablecoin pool. USDC, DAI, and sUSD accepted.
Not an endorsement - seems to be one of the better, relatively safe stablecoin yield farms, though.
Here's a matrix for the yields on the / Uniswap LP pool, starting in eight days.
Yields are much higher as I assume TVL will be much lower due to potential impermanent loss risks.
Pool #1 (stablecoins) will be open for 25 weeks, with 32,000 BOND released a week.
Pool #2 (BOND/USDC LP) will be open for 100 weeks, with 20,000 BOND released a week.
In total, 2,800,000 tokens—28% of the total supply—will be distributed through these pools.