Origin Protocol (OUSD): Flash loan + fake token injection → missing mintMultiple() validation → reentrancy → rebase inflation → drain
Origin Protocol's OUSD lost $7.7M when a gas-optimization refactor accidentally removed a single validation check, letting an attacker pass a fake stablecoin into mintMultiple(), trigger reentrancy, inflate the total OUSD supply, and redeem more than the vault held.
Summary #
Origin Protocol (OUSD) suffered a Algorithmic Stablecoin / Yield-Bearing Stablecoin on 2020-11-17, resulting in a loss of approximately $8M.
What happened #
Origin Protocol's OUSD lost $7.7M when a gas-optimization refactor accidentally removed a single validation check, letting an attacker pass a fake stablecoin into mintMultiple(), trigger reentrancy, inflate the total OUSD supply, and redeem more than the vault held.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 70,000 ETH flash loan from dYdX (very large flash loan for November 2020)]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the validation bug was introduced during a refactoring pass (gas optimization) shortly before the hack]