Deus DAO Exploited Again, Loses Reported USD 13M+ in Flashloan Attack
Another day, another exploit. Deus Finance DAO seems to have lost at least USD 13m in its own latest flashloan attack.
The project which describes itself as a “decentralized bilateral OTC [over-the-counter] derivatives platform” has confirmed the attack, claiming that user funds are safe, and adding that DEI lending has been paused.
The dev team is working on the DEI situation.— DEUS (@DeusDao) April 28, 2022
1. User funds are safe. No users were liquidated.
2. DEI lending has been temporarily halted.
3. $DEI peg has been restored.
More details to follow.
Per its website, the platform has two coins for its users: the protocol token DEUS and the fractional reserve stablecoin DEI, which is “majority-backed by a trusted stablecoin.”
As for now, no more details are available from the project itself, including the amount lost.
However, according to the blockchain security company PeckShield, the attacker took off with some USD 13.4m, while the loss for the protocol may be even larger.
On the other hand, the security-focused ranking platform CertiK‘s alert account tweeted that the attacker gained closer to USD 16.84m in profit. Furthermore, said the platform, the attacker held some USD 15.7m in assets in their wallet some two hours ago. As of 7:35 UTC, the wallet is showing ethereum (ETH) value of 2,483. The attacker had been transferring out funds until about an hour before press time.
Per the platform, ETH 5,446 (USD 15.78m) has been moved into the privacy solution Tornado Cash.
#CommunityAlert 🚨@DeusDao – $DEI Flash loan Attack Update:— CertiK Alert (@CertiKAlert) April 28, 2022
The Deus Finance exploiter has moved 5446 ETH into @TornadoCash.
At the time of writing 5446 ETH is worth ~$15,699,075.28 million.
Wallet: eth:0x701428525cbac59dae7af833f19d9c3aaa2a37cbhttps://t.co/pGtOYk3Ftp pic.twitter.com/gP0kciwYeW
The two firms shared the FTMScan transaction details showing millions of USD mostly in USD coin (USDC) and partially in DEI transferred just hours ago. An address said to be involved in the hack currently has only USD 132.5 to its name, with the funds having been transferred out.
PeckShield stated that “the hack is made possible due to the flashloan-assisted manipulation of price oracle,” whereby “the manipulated price of collateral DEI is then used to borrow and drain the pool.”
This is not the first time the decentralized finance (DeFi) marketplace was exploited for millions of dollars worth of coins: just a bit more than a month ago, on March 15, it lost some USD 3m in a seemingly very similar or same fashion, according to PeckShield.
Per the post-mortem, an exploiter used a flash loan attack against their Oracles. “We will make everyone whole again — anyone affected by the exploit will be reimbursed completely,” the team behind the DeFi project said at the time.
– Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes
– AkuDreams NFT Team Announces Rewritten Code After Flaw in First Code Locked USD 34M
– Beanstalk Hacker Drains USD 182M from Project, But Nets Only USD 80M
– North Korea’s Lazarus Group Behind Axie Infinity’s Ronin Hack, Say US Treasury, FBI
– ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K
– MetaMask Issues Warning About Phishing Attacks Via iCloud After a User Lost USD 650K
– Here’s How You Can Protect Yourself Against Phishing as Trezor is Attacked