Deus Finance, a decentralized finance (DeFi) protocol, just suffered its third major hack, resulting in a loss of around $6.5 million across the Arbitrum, BSC, and Ethereum networks. The DEI stablecoin, used as collateral for third-party instruments built on the Fantom protocol, also depegged by over 80%. This incident has raised serious concerns over the security and trustworthiness of the protocol, as it is the third time hackers have targeted Deus DAO. In this article, we will analyze the hack itself and past ones.
The hack on Deus Finance was due to a simple implementation error/bug in the DEI token contract, which was introduced during an upgrade in the previous month. The “burnFrom” function was misconfigured, with the '_allowances' parameters 'msgSender' and 'account' written into the contract in the wrong order. This error created a public burn vulnerability the attacker could exploit to gain control over DEI holders' approvals and transfer assets directly to their addresses.
The attacker's process involved the following steps:
The attacker targeted the Arbitrum network, the Binance Smart Chain (BSC), and the Ethereum network, resulting in losses of approximately $5 million on Arbitrum, $1.3 million on BSC, and $135k on Ethereum.
Attacker’s address (Arbitrum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Arbitrum): 0xb1141785…
Frontrunner address (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474
Example attack tx (BSC): 0xde2c8718…
Attacker’s address (Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Ethereum): 0x6129dd42…
As the vulnerability became public knowledge, some whitehats were able to step in and mitigate further damage. On the BSC, the exploit was front-run, and an on-chain message indicated the intent to return the stolen funds to Deus Deployer. Over $600k in USDC has been returned to a recovery multi-sig by another whitehats. Despite these efforts, questions remain about the trustworthiness of the thrice-hacked protocol and its ability to prevent future incidents.
Deus Finance acknowledged the hack and confirmed a multi-sig address for whitehats to return funds. They also mentioned a recovery plan for users who lost out in the exploit and contacted the attacker on-chain. However, given that the account was initially funded via Tornado Cash on BSC, the chances of recovering the funds look slim.
This recent attack marks the third time Deus Finance has been targeted by hackers. In March 2022, the protocol suffered a flash-loan attack resulting in over $3 million in losses in Dai and Ether. In April 2022, another attack led to a loss of nearly $13.4 million, mainly in Ethereum.
These repeated incidents have raised questions about the security measures and practices of Deus Finance, and whether it can still be trusted after being hacked thrice. The future of Deus Finance remains uncertain, with investors and users likely to be wary of the protocol's ability to protect their assets.
The recent Deus Finance hack highlights the importance of robust security measures and thorough code audits in DeFi protocols. With increasing numbers of hacks and exploits in the DeFi space, it is crucial for projects to prioritize security and ensure that they are well-protected against potential threats. The future of Deus Finance hangs in the balance as the protocol works on regaining the trust of its users and investors following this latest attack.
Identify patterns and anomalies across blockchains in real-time for proactive mitigation.
Book a Demo
