Deus Finance exploit: Hackers get away with $3M worth of DAI and Ether

Published at: March 15, 2022

Multi-token decentralized finance (DeFi) marketplace Deus Finance has become the latest victim of an exploit resulting in over $3 million losses in DAI and Ether (ETH).

DeFi analytic firm PeckShield took to Twitter to explain the cause and manner in which the funds were exploited. The hackers behind the attack managed to exploit and manipulate price oracle for flash loans, resulting in the insolvency of users’ funds.

1/ @deusdao Deus Finance was exploited in https://t.co/bfYCQcz5rZ, leading to the gain of ~$3M for the hacker (The protocol loss may be larger), including 200,000 DAI and 1101.8 ETH

— PeckShield Inc. (@peckshield) March 15, 2022

The hackers manipulated the price from the pair of StableV1 AMM - USDC/DEI, using which the protocol used to set price oracle for its flash loans.

PeckShield revealed that hackers managed to steal 200,000 DAI and 1101.8 ETH, and the total amount of stolen funds could be larger than the early estimates of $3 million.

The hacker behind the attack then funneled the stolen funds using the coin mixer tool Tornado cash via Multichain protocol (previously known as AnySwap).

Related: Altcoin Roundup: DeFi token prices are down, but utility is on the rise

Deus Finance acknowledged the exploit on its lending protocol and claimed it has closed its $DEI lending contract. The DeFi protocol also claimed that both $DEUS and $DEI are unaffected by the exploit.

We are aware of the recent exploit reports regarding the $DEI lending contract.Contract has been closed, both $DEUS & $DEI are unaffected. Devs are working on a summary of the events, all information will be communicated once we have assessed the full situation.

— DEUS Finance DAO (@DeusDao) March 15, 2022

Deus Finance provides DeFi infrastructure to help others create financial instruments including synthetic stock trading platforms, options and futures trading.

Lafayette Tabor, the CEO of Deus Protocol took to Twitter to inform the community about the reimbursement plans. He said that the developers would create a new contract where affected users would be able to repay their loans. He explained:

“We will create a contract you will be able to repay your DEBT on it and get your sAMM that were liquidated, we will also implement a feature that lets you swap DEI against a small MUON allocation. (paying from my team allocation).”
Tags
Related Posts
THORSwap relaunches cross-chain trading on four of five networks
Cross-chain decentralized exchange (DEX) THORSwap appears to be on the path to recovery after the THORChain network was taken offline following major exploits just three months after entering its guarded launch. The Cosmos-powered network aims to support decentralized trades executed across different blockchain networks such as Bitcoin and Ethereum. According to a Tuesday progress report, the team behind the project’s DEX, THORSwap, has so far restored functionality for four of the five networks it supported prior to going down in July. The update states that THORSwap has resumed swap functionality across the Bitcoin, Bitcoin Cash, Litecoin and Binance Smart Chain …
Blockchain / Oct. 12, 2021
THORChain loses up to $7.6M in ‘Chaosnet’ exploit, offers hacker a bounty to return funds
Popular cross-chain decentralized exchange THORChain has suffered a multi-million-dollar breach. Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million. At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be …
Altcoin / July 16, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack
In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game: There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP — Ronin (@Ronin_Network) March 29, 2022 The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator …
Blockchain / April 12, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted
High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits. Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01. Acala put its network in maintenance mode …
Blockchain / Aug. 17, 2022
Almost $1M in crypto stolen from vanity address exploit
Hacks and exploits continue to plague the decentralized finance (DeFi) sector as another vanity wallet address joins the roster of DeFi victims that collectively lost more than $1.6 billion in 2022. In an alert published by blockchain security firm PeckShield, a hacker was detected after stealing 732 Ether (ETH), around $950,000, from an address created at the Ethereum vanity wallet address generator called Profanity. After draining the wallet, the exploiters have sent the crypto to the recently sanctioned crypto mixer Tornado Cash. #PeckShieldAlert Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with …
Defi / Sept. 26, 2022