Deus Finance DAO has suffered another exploit and lost $13.4 million worth of ETH to a hacker less than a month after being hacked in a similar flash loan attack for roughly $3 million.
Deus DAO lost over $16 million to the two attacks
Blockchain security company PeckShield first reported the exploit claiming that although the hacker gained around $13.4 million, the protocol might have lost more.
The @DeusDao was exploited today in https://t.co/USKNHhXeid with ~$13.4M gain for the hacker (The protocol loss may be larger).
— PeckShield Inc. (@peckshield) April 28, 2022
According to PeckShield, the hacker used a flash loan to manipulate the price oracle and inflate the value of DEI. Then the hacker used the inflated DEI as collateral to borrow and drain the protocol. The exploit in March was achieved using the same method.
1/ @deusdao Deus Finance was exploited in https://t.co/bfYCQcz5rZ, leading to the gain of ~$3M for the hacker (The protocol loss may be larger), including 200,000 DAI and 1101.8 ETH
— PeckShield Inc. (@peckshield) March 15, 2022
The hacker initially withdrew 800 ETH from Tornado Cash to imitate the exploit, sending the funds through Multichain into Fantom. After stealing the funds, the hacker paid the flash loan and sent the proceeds to his wallet.
It now appears that the hacker has moved most of the proceeds from the wallet, as only 0.85 ETH was in the wallet as of press time.
Deus team response
In its initial response, Deus Finance DAO has called for calm after revealing that its team was working on it. The protocol claimed that all user funds were safe and no user was liquidated due to the exploit.
The multichain decentralized derivatives platform also stated that the $DEI peg is restored and that it will provide more updates soon.
The dev team is working on the DEI situation.
1. User funds are safe. No users were liquidated.
2. DEI lending has been temporarily halted.
3. $DEI peg has been restored.More details to follow.
— DEUS Finance DAO (@DeusDao) April 28, 2022
Its founder, the pseudonymous lafachief, disagreed with how PeckShield described the exploit.
This is not exactly what happened, I will prepare something. https://t.co/7zwuPNdkly
— µ Lafa µ (@lafachief) April 28, 2022
He added that protocol uses “Muon Oracles not onchain,” and the hacker “was able to manipulate VWAP prices of Muon.” He continued that the attacker “basically “faking” swap of ~2M USDC to 100k DEI” and “manipulated the Muon VWAP price with it.”
This is what I know so far:
The attacker used this tx to manipulate muon price:https://t.co/G4hFwIjkBy
Muon is checking for SWAPS inside of solidly pool, we were working on changing that together with muon to add more sources and filter out transactions…
— µ Lafa µ (@lafachief) April 28, 2022
Lossless DeFi, a crypto hack mitigation tool, also offered to help Deus catch the hacker if it was willing to cooperate.
Hey @DeusDao. Our team has looked into this and we believe we can catch the culprit with you. DMed you if you’d like to work together.
— Lossless (@losslessdefi) April 28, 2022
However, some users are concerned about the platform’s security, considering that the same exploit had happened twice in less than a month.
Source: https://cryptoslate.com/deus-dao-suffers-another-flash-loan-exploit-loses-over-16m/