Deus Finance DAO has suffered another exploit, losing $13.4 million worth of ETH to a hacker less than a month after it was hacked in a similar flash loan attack for about $3 million.
Deus DAO lost over $16 million from the two attacks
Blockchain security firm PeckShield was the first to report the exploit, claiming that while the hacker gained around $13.4 million, the protocol may have lost more.
That @DeusDao was exploited today in https://t.co/USKNHhXeid with ~$13.4 million gain for the hacker (log loss may be greater).
— PeckShield Inc. (@peckshield) April 28, 2022
According to PeckShield, the hacker used a flash loan to manipulate the price oracle and inflate the value of DEI. Then the hacker used the inflated DEI as collateral to borrow and dump the log. The exploit in March was achieved using the same method.
1/ @deusdao Deus Finance was exploited in https://t.co/bfYCQcz5rZ, resulting in ~$3 million gain for the hacker (log loss may be greater), including 200,000 DAI and 1101.8 ETH
— PeckShield Inc. (@peckshield) March 15, 2022
The hacker initially subtracted 800 ETH out of Tornado Cash To mimic the exploit, send the funds in via Multichain fantom. After stealing the money, the hacker paid off the flash loan and sent the proceeds to his wallet.
As it now turns out, the hacker withdrew most of the proceeds from the bank walletsince there was only 0.85 ETH in the wallet at the time of writing.
Response from the Deus team
In its initial response, Deus Finance called for DAO to calm down after revealing that its team was working on it. The log claimed that all user funds were safe and no user had been liquidated as a result of the exploit.
The multichain decentralized derivatives platform also announced that the $DEI binding has been restored and that it will provide more updates soon.
The development team is working on the DEI situation.
1. User funds are safe. No users were liquidated.
2. DEI lending has been temporarily suspended.
3. $DEI Pen has been restored.More details to come.
— DEUS Finance DAO (@DeusDao) April 28, 2022
Its founder, the pseudonymous Lafachief, disagreeing with the description of the exploit by PeckShield.
That’s not exactly what happened, I’ll prepare something. https://t.co/7zwuPNdkly
— µ Lafa µ (@lafachief) April 28, 2022
He added that the protocol uses “Muon Oracles not onchain” and the hacker “was able to manipulate Muon’s VWAP prices.” He went on to say that the attacker “essentially ‘faked’ the exchange of ~2M USDC to 100,000 DEI” and thereby “rigged the Muon VWAP price”.
This is what I know so far:
The attacker used this TX to manipulate the muon price: https://t.co/G4hFwIjkBy
Muon is looking for SWAPS within the solid pool, we have been working with myon to change that to add more sources and filter out transactions…
— µ Lafa µ (@lafachief) April 28, 2022
Lossless DeFi, a crypto hack mitigation tool, also offered to help Deus catch the hacker if it were willing to cooperate.
hey @DeusDao. Our team has investigated this and we believe that with you we can catch the culprit. DMed you if you want to collaborate.
— Lossless (@losslessdefi) April 28, 2022
However, some users are concerned about the security of the platform considering that the same exploit happened twice in less than a month.
