Deus Finance Exploited: The Hacker Gained Around $3M

Key Takeaway:

  • The exploit lead to the gain of ~$3M for the hacker (the protocol loss may be larger), including 200,000 DAI and 1101.8 ETH.

Today Deus Finance was exploited. The transaction hash for the exploit is 0xe374495036fac18aa5b1a497a17e70f256c4d3d416dd1408c026f3f5c70a3a9c. The exploit lead to the gain of ~$3M for the hacker (The protocol loss may be larger), including 200,000 DAI and 1101.8 ETH.

The hack was made possible due to the flashloan-assisted manipulation of price oracle that reads the price from the pair of StableV1 AMM – USDC/DEI, so that even normal users, unfortunately, become insolvent. It can be clearly seen in the image below.

Image
Flashloan-assisted manipulation

To illustrate what has actually happened we used the hack tx. The hacker first flashloan 9,739,342 DEI via SPIRIT-LP_USDC_DEI. Then the hacker Flashloan 24,772,798 DEI out of the SAMM-USDC/DEI pair (that is used as price oracle to calculate the callateral value). The next step of the hacker was to liquidate the users who become insolvent from the above step.

Image
Price Manipulation

Then the hacker repaid the borrowed 24,772,798 DEI to the SAMM-USDC/DEI pair. The next step was to burn the liquidated LP token to get 5,218,173 USDC + 5,246,603 DEI 6. Then hacker swap 5,218,173 USDC to 5,170,594 DEI 7. The last step hacker did was to repay flashloan with 3,001,552 DEI as hack profit. The whole step can be clearly seen in the image below.

Image
Steps

The initial funds to launch the hack are withdrawn from TornadoCash and tunneled to Fantom via Multichain (Previously Anyswap). The result gains are tunneled via Multichain (Previously Anyswap) and funds are washed via TornadoCash.

Image

At the time of writing the exploiter has transferred 1,100 ETH & 200k DAI into TornadoCash. The detailed transactions can be seen here.

Image
TornadoCash

Deus Finance Tweeted and informed the community that “We are aware of the recent exploit reports regarding the $DEI lending contract. The contract has been closed, both $DEUS & $DEI are unaffected. Devs are working on a summary of the events, all information will be communicated once we have assessed the full situation.”

Default image
Chaahat Girdhar

I'm Chaahat Girdhar, a journalist by profession who's turning her dreams into vision and vision into reality. I'm curious and have an appetite for gaining new knowledge. So I'm looking forward to learning things in the better way possible.