Decentralized finance (DeFi) application Deus Finance was exploited for the second time in two months, with the attacker gaining more than $13.4 million of cryptocurrency in early Asian hours today, security researchers at PeckShield said in a tweet. The exploit occurred on the Fantom Network.
-
Deus allows developers to build financial services such as futures trading, lending and options on its platform. (Disclosure: The writer of this report is a liquidity provider for Deus on Ethereum, Fantom and BNB Chain.)
-
The attacker used a flash loan to trick the way Deus’s smart contracts read data on the platform’s liquidity pools. This allowed the attacker to artificially inflate the value of some assets, borrow funds and make a profit after repaying the loan.
-
Some $143 million were borrowed as a flash loan, blockchain data appear to show. The hacker was able to make a profit of $13.4 million. PeckShield said the total losses to the protocol could be much higher.
-
The Deus ecosystem comprises two tokens: DEUS and DEI. DEUS is the governance token on the platform. Minting DEI, a stablecoin pegged 1:1 to the U.S. dollar, burns DEUS, and redeeming DEI mints DEUS, according to developer documents.
-
Thursday’s exploit was the second in two months on the protocol, which was attacked in a similar manner in March for $3 million.
How the attack took place
Using the flash loan, Deus’ attackers were able to temporarily manipulate prices on a liquidity pool consisting of the USD coin (USDC) stablecoin and DEI, and use the manipulated DEI price to borrow and drain the pool.
Flash loans allow DeFi users to take out millions of dollars as a loan against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed.
On the other end, liquidity pools, such as the USDC and DEI pool on Deus, rely on so-called oracles to ensure they are correctly priced at all times and any borrowing is within limits that don’t exceed the total value of those pools. Oracles are blockchain-based tools that provide smart contracts with trusted external information. These are required because blockchains can immutably store data, but can’t verify if the input data are accurate.
On Thursday, the attackers were able to take out a flash loan of over 143 million USDC, and used that to swap 9.5 million DEI, according to PeckShield. This caused the price of DEI to suddenly become more expensive than the usual exchange rate of $1.
The attacker then used some 71,000 DEI to borrow over 17.2 million DEI using the manipulated prices. The flash loan was then repaid, and the attacker managed to pocket $13.4 million.
DEUS prices fell 16.5% in the past 24 hours, CoinGecko data show. A bulk of these losses came after the exploit was made public. Deus had not responded to a request for comment by publication time.