Another day, another exploit. Deus Finance DAO seems to have lost at least USD 13m in its own latest flashloan attack.
The project which describes itself as a “decentralized bilateral OTC [over-the-counter] derivatives platform” has confirmed the attack, claiming that user funds are safe, and adding that DEI lending has been paused.
The dev team is working on the DEI situation.
1. User funds are safe. No users were liquidated.
2. DEI lending has been temporarily halted.
3. $DEI peg has been restored.More details to follow.
— DEUS Finance DAO (@DeusDao) April 28, 2022
Per its website, the platform has two coins for its users: the protocol token DEUS and the fractional reserve stablecoin DEI, which is “majority-backed by a trusted stablecoin.”
As for now, no more details are available from the project itself, including the amount lost.
However, according to the blockchain security company PeckShield, the attacker took off with some USD 13.4m, while the loss for the protocol may be even larger.
On the other hand, the security-focused ranking platform CertiK‘s alert account tweeted that the attacker gained closer to USD 16.84m in profit. Furthermore, said the platform, the attacker held some USD 15.7m in assets in their wallet some two hours ago. As of 7:35 UTC, the wallet is showing ethereum (ETH) value of 2,483. The attacker had been transferring out funds until about an hour before press time.
Per the platform, ETH 5,446 (USD 15.78m) has been moved into the privacy solution Tornado Cash.
#CommunityAlert 🚨@DeusDao – $DEI Flash loan Attack Update:
The Deus Finance exploiter has moved 5446 ETH into @TornadoCash.At the time of writing 5446 ETH is worth ~$15,699,075.28 million.
Wallet: eth:0x701428525cbac59dae7af833f19d9c3aaa2a37cbhttps://t.co/pGtOYk3Ftp pic.twitter.com/gP0kciwYeW
— CertiK Alert (@CertiKAlert) April 28, 2022
The two firms shared the FTMScan transaction details showing millions of USD mostly in USD coin (USDC) and partially in DEI transferred just hours ago. An address said to be involved in the hack currently has only USD 132.5 to its name, with the funds having been transferred out.
PeckShield stated that “the hack is made possible due to the flashloan-assisted manipulation of price oracle,” whereby “the manipulated price of collateral DEI is then used to borrow and drain the pool.”
This is not the first time the decentralized finance (DeFi) marketplace was exploited for millions of dollars worth of coins: just a bit more than a month ago, on March 15, it lost some USD 3m in a seemingly very similar or same fashion, according to PeckShield.
Per the post-mortem, an exploiter used a flash loan attack against their Oracles. “We will make everyone whole again — anyone affected by the exploit will be reimbursed completely,” the team behind the DeFi project said at the time.
Source: Cryptonews
