Security is our top priority at Origin. The security of our smart contracts that handle user funds and millions of dollars of value is paramount. These smart contracts represent the core of OUSD and are also the biggest attack vector for hackers and exploits. With that in mind, we have completed multiple security audits and have developed robust internal security practices. We also conduct regular public reviews of other smart contracts and exploits to integrate learnings into our own team while sharing with the wider community. The latest security audit of our smart contracts was performed by OpenZeppelin, one of the most prominent and respected smart contract security auditing firms in the space.
The team at OpenZeppelin spent five weeks analyzing the smart contracts that power OUSD, including the vault and the yield-generating strategies. We are happy to report that they did not find any major issues that could have resulted in a loss of funds for our users. We were very pleased with their attention to detail and their suggestions have helped us make considerable improvements to the quality of our codebase.
The most severe issue that they discovered could theoretically have allowed a percentage of OUSD yields to be stolen due to the OGN buyback code being executed on Uniswap without specifying any slippage protection. While marked as a critical bug, this attack wouldn’t have been economically viable given the number of tokens at stake. Nonetheless, we immediately disabled the buyback code until we were able to deploy a freshly audited contract in its place. It’s important to note that no user capital was ever at risk. Each of the issues identified by OpenZeppelin has since been fixed and there are currently no known risks to user funds or yields.
At Origin, regular audits are an integral part of our multi-pronged approach to security, but they are just one of many ways we make sure your funds stay safe. We believe that sunlight is the best disinfectant. The entire codebase for OUSD is open-source. This allows the community to alert us and help us quickly patch potential new security threats. We regularly use static code analyzers like slither to help detect known vulnerabilities and recommend best coding practices. While those tools can’t be relied on to catch all possible vulnerabilities, they provide a useful extra level of scrutiny. We have a comprehensive suite of unit tests that runs automatically on every commit. Any pull request submitted to the Origin Protocol codebase must get a thorough review from a senior engineer on the project before it can get committed to the repository and any contract change proposals must reach consensus within our multi-sig. Our contracts are owned by a timelock so that OUSD holders can review any pending changes and have time to move their funds if they see anything they don’t like.
In addition to regular internal audits, we have now had external audits performed by some of the most reputable firms in the space, including Trail of Bits, Solidified, Certora, and now OpenZeppelin. You can see the results of all our completed audits on the OUSD docs.
The complete audit report from OpenZeppelin is embedded below:
We found the OpenZeppelin team a joy to work with and their audit was incredibly thorough, thoughtful, and professional. We take our security practices extremely seriously and we will continue to strive to make OUSD the safest and easiest way to earn DeFi yields without any of the hassles.
Learn more: