DEUS Finance Hack - April 28, 2022
Overview
Deus Finance DAO, a multi-chain DeFi protocol, suffered a flash loan exploit on April 28, 2022, with the hacker making off with about $13.4 million. The unknown perpetrator carried out the exploit using a flash loan at around 2:40 AM UTC.
Technical Root Cause
According to blockchain security firm PeckShield, the Deus hacker took a flash loan to manipulate the price oracle within one of its lending pools on Fantom. The targeted pair was DEI (Deus's stablecoin) paired against the USDC stablecoin. The DEI/USDC pool on the protocol's lending market read its price directly from the StableV1 AMM pair price reserves, with no TWAP or sanity check.
Attack Vector / Steps
1. Attacker took out a flash loan
2. Used the flash loan to swap into the StableV1 DEI/USDC pair, distorting the on-pool price of DEI dramatically upward
3. The lending market's price oracle (which read directly from the pool reserves) reported DEI as artificially valuable
4. Attacker then borrowed against tiny DEI collateral, taking out far more USDC than the actual market value would have allowed
5. The borrowed USDC was retained as profit
6. Attacker repaid the flash loan and walked away with ~$13.4 million
Post-Exploit Activity
The attacker moved the exploited funds from Fantom to Ethereum, where they routed them through Tornado Cash, a mixing protocol used to obfuscate Ethereum transactions.
Financial Impact
• ~$13.4 million net profit to the attacker
• Funds laundered via Tornado Cash on Ethereum
Response and History
• In response, Deus Finance halted lending of the exploited DEI tokens
• Claimed that "user funds are safe" with more details to follow
• This was not the first security incident for Deus Finance — the protocol had lost $3 million to a flash-loan / oracle exploit the previous month (March 2022)
Sources