OUSD has been hacked, and there has been a loss of user funds. We are actively investigating the issue. We are committed to making things right. Please refer to this blog post as the authoritative source for continual updates over the course of the next few days.
Đang xem: Hack bao loan
Updated at 1:00AM UTC 12.12.2020 (Matthew Liu)
We have now published our compensation plan in full detail. If you are an affected user, please refer to that post.
Updated at 10:26AM UTC 11.25.2020 (Josh Fraser)
We want to share a rough timeline on when to expect full details regarding the compensation plan for the OUSD hack. Our current estimate is that it will take about 2 weeks to have a plan ready to share. It may take longer, but we hope to get it done faster. In approximately 2 weeks, we expect to be able to share our proposal for when and how affected parties will be reimbursed. The actual reimbursement will then happen at a later time. There are a lot of varying situations that we are trying to understand, so that we can structure a proposal that is fair to everyone. For example, we are collecting and analyzing data to understand how many people fall into each of the following categories:
Users that have held OUSD in their wallets since the attackLiquidity providers on SushiSwap, Uniswap, or MooniswapSnowSwap stakersVirgox usersTraders who sold or bought OUSD, despite being repeatedly told not to
We understand that people are anxious to know how compensation will work and whether they will be eligible. We will be sharing our proposal for community feedback. We want to make sure we are thinking through all of the scenarios and designing a plan that is fair to everyone while moving as quickly as possible.
In addition, we will be sharing updates less frequently as we move into this next phase. Even if we aren’t able to share all the details publicly, know that there is still a lot of progress being made behind the scenes. Our team continues to be focused on recovering funds, collecting and analyzing data, structuring the compensation plan, fixing the security issues with OUSD, and getting OUSD ready for re-launch. Thank you for your patience and tư vấn during this time.
Updated at 4:45PM UTC 11.20.2020 (Matthew Liu)
We wanted to update the community on our user compensation scenario. While we are confident that there is a path to recovering the capital that was lost, we have begun contingency planning in parallel. Regardless of whether we are able to recover user funds from the attacker, we are committed to doing right by our users.
Over one or more payment installments, the company intends to provide compensation equal to 100% of the value deposited to OUSD by OUSD holders at the time of the exploit. The payment methods, mechanics, and timing are still being structured, so we will need additional time to release the finalized compensation program specifics.
We have begun engineering efforts to reconstruct the state of OUSD balances in user wallets and liquidity pools (e.g. AMMs) at the time of the attack and shortly thereafter. This data capture and analysis will be ongoing, and we plan to offer transparent snapshots once this work has been completed.
We ask that you remain patient with us as we continue working through the data in the next couple of weeks. Completing this work is a prerequisite to launching our full compensation plan.
Importantly, we are not intending to mint or sell any OGN to fund the compensation plan. We also want to assure our OGN token holders that we will still be in a financially sound position to continue operating the Origin Platform (e.g. Dshop, new commerce products, and the next version of OUSD) even if we have to resort to the contingency plan.
Just as importantly, we want to reiterate that we are committed to making OUSD a successful product. We will make sure our users are made whole and plan to aggressively continue building out the product and accompanying ecosystem. We will also be upgrading our smart contracts and engaging in additional audits before re-launching OUSD. Despite being launched less than two months ago, OUSD has quickly demonstrated signs of product-market fit. In the two days prior to the hack, OUSD circulating supply had more than tripled while returning APYs at 50+%. We believe OUSD will be one of the foundational products in DeFi and peer-to-peer commerce over time. OUSD will accrue tremendous value to OGN holders through governance privileges and potential fees. As a team and community, we will overcome this setback and take OUSD and OGN to new levels in the near future.
Updated at 7:47am UTC 11.19.2020 (Josh Fraser)
We are offering a bounty of $1,000,000 USD to anyone that supplies substantial information or evidence leading to the return of customer funds. Payouts (if multiple individuals are involved) will be weighted by their relative contributions. If you have any information that may help us identify the attacker or recover the lost funds, please liên hệ security
originprotocol.com immediately. Any bounties will be granted at the full discretion of Origin Protocol.
To the hacker, we believe you’ve made your point to us and our community. Developers deploying untested contracts before essential security audits have been completed need to be more comprehensive and diligent when developing their products. Users hoping to make profits need to be more patient and take responsibility for their investment decisions to avoid being rekt. As the developers of the OUSD smart contracts, we do not care if you return company funds or the personal investments of our founders. We believe you demonstrated superior knowledge in identifying vulnerabilities in our work. We ask that you act in a white hat manner and return all funds from OUSD users. The total amount of deposits excluding our founders and company funds is $6,159,000.00. If you do this, we will immediately stop all efforts to identify you or pursue legal action.
Remember that you are taking from those that have less. If you examine the wallet addresses that held OUSD, you will realize that many of our users are not degens or whales. Many OUSD users are new to DeFi and their losses can be life-altering in highly negative ways. We understand your desire to draw attention to smart contract vulnerabilities and teach developers the hard but necessary lesson for developing safe, secure, and battle-tested DeFi protocols. Keep Origin’s funds, but don’t punish our users, many of whom were new to crypto.
Recovering customer funds remains our single highest priority. We will exhaust all avenues to achieve this goal.
Updated at 10:15 PM UTC 11.17.2020 (Kay Yoo)
We are currently focused on gathering data with the aim of recovering funds for our OUSD holders. We will continue to provide frequent updates with our findings. Please stay tuned.
Updated at 10:38 AM UTC 11.17.2020 (Micah Alcorn)
As promised in an earlier update, we wanted to provide a detailed walk-through of the attack on the OUSD vault that happened earlier today. We’ll follow up with a full post-mortem in the coming days to explore a variety of ways to prevent future attacks. For now, we want to quickly shed light on what happened.
We will also have an upcoming post discussing the latest on our efforts to recover funds as well as our worst-case scenario plans to compensate users if we’re unable to recoup user deposits.
The attack originated from 0xb77f7bbac3264ae7abc8aedf2ec5f4e7ca079f83, with a contract deployed at Nov-17–2020 12:40:56 AM +UTC. Here is a description of the transactions that were initiated by this contract:
Nov-17–2020 12:47:19 AM +UTC
1. The Flash Loan
70,000 ETH was borrowed from dYdX.
2. The Stablecoin Swaps
17,500 ETH was exchanged for 7,855,911.53 USDT on Uniswap.
52,500 ETH was exchanged for 20,987,772.08 DAI on Uniswap.
3. The Simple Mint
Our mint method, which allows the sender to use one type of stablecoin to mint OUSD, was called with 7,500,000 USDT.
7,500,000 USDT was transferred to the vault.
7,500,000 OUSD was minted and transferred to the attacker, as intended.
At this point, the attacker held a little over half of all OUSD in existence, and the vault had an equivalent amount of collateral to tư vấn a supply of roughly 14,518,200 OUSD.
4. The Reentrancy
Our mintMultiple method, which allows the sender to use more than one type of stablecoin to mint OUSD, was called with 20,500,000 DAI as the first stablecoin.
param _amounts Amount of each asset at the same index in the
* _assets to deposit.
address calldata _assets,
uint256 calldata _amounts
) external whenNotDepositPaused
The 2,000 USDT mint triggered a rebase of the OUSD supply, which caused everyone’s OUSD balance to increase by a factor of approximately 2.41 (35,018,200 vault value / 14,518,200 OUSD supply). In other words, the contract thought that the additional 20,500,000 of value had come from earnings since no additional OUSD had actually been minted yet.
At this point, the attacker held approximately 18,090,156 OUSD when the vault value was 35,018,200.
2,000 USDT was transferred to the vault.
2,000 OUSD was minted and transferred to the attacker, causing the OUSD supply to increase to approximately 35,020,200.
20,500,000 OUSD was minted and transferred to the attacker, causing the OUSD supply to increase to 55,520,200 despite only having a value of 35,018,200.
At this point, the attacker held 38,592,156 OUSD, which exceeded the value of the vault.
5. The Initial OUSD Swaps
300,000.00 OUSD was exchanged for 158,550.17 USDT on Uniswap.
1,000,000.00 OUSD was exchanged for 520,756.83 USDT on SushiSwap.
6. The First Redeem
19,557,311.44 DAI was withdrawn from the OUSD vault.
9,417,676.79 USDT was withdrawn from the OUSD vault.
3,931,953.44 USDC was withdrawn from the OUSD vault.
33,269,189.62 OUSD was burned (as intended).
7. The Reverse Stablecoin Swaps
10,450,895.33 USDT was exchanged for 22,898.58 ETH on Uniswap.
3,931,953.45 USDC was exchanged for 8,305.92 ETH on Uniswap.
19,045.083.52 DAI was exchanged for 47,976.52 ETH on Uniswap.
8. The Loan Repayment
70,000 ETH was returned to dYdX.