According to a tweet by DeFi analytic company PeckShield, decentralized derivatives protocol Deus Finance suffered an exploit on April 28, 2022. The blockchain security provider noted the attacker managed to manipulate a price oracle for flash loans on Deus DAO.
The Rise and Rise of Flash Loan Attacks
“The hack is made possible due to the flashloan-assisted manipulation of the price oracle that reads from the StableV1 AMM – USDC/DEI pair. The manipulated price of collateral DEI is then used to borrow and drain the pool,” PeckShield explained.
The exploit allowed the malicious actor to siphon over $13.4 million from the lending protocol’s liquidity pool on Fantom Network. However, the total loss to the Deus protocol could be much higher, according to security-focused firm CertiK.
In a tweet posted on Thursday morning, CertiK confirmed that a flash loan exploit had occurred on the Deus platform but estimated that the attacker had made around $16.84 million in profit.
Hacker Transfers Stolen Funds into Crypto Mixer
The unknown attacker was able to trick the Deus smart contracts’ ability to interpret price oracle data, allowing him to manipulate the value of collateral DEI. DEI is the DeFi protocol’s fractional reserve stablecoin pegged to the US dollar value.
Using the inflated price, the hacker used collateral to borrow large sums of crypto as a flash loan and drain the pool. Shortly after securing his loot of approximately 5446 ETH, the attacker moved funds from his wallet to Tornado Cash, a popular coin mixer tool.
At the time of writing, the wallet address associated with the Deus exploiter has a balance of only $132, as most of the stolen funds have already been funneled into the Tornado Cash privacy solution.
The Deus ecosystem is reeling in the wake of the devastating exploit in the early Asian hours on Thursday. The exploit has sent the price of DEI crashing 16.5% over the past 24 hours, per data from CoinGecko. The bulk of the losses came after blockchain security firms went public with the details of the flash loan attack.
Deus Finance Developers Suspend DEI Lending
The Deus dev team has moved fast to quell panic amongst users following Thursday’s devastating hack on the network. In a tweet posted on Thursday morning, the project backers assured investors that the bilateral OTC derivatives platform is now secure.
The team confirmed that user funds were safe and reiterated that no investors were liquidated. They further explained that DEI’s 1:1 peg to the US dollar was restored, but informed market participants that lending of the stablecoin had been temporarily halted.
Unfortunately, the latest hack on Deus Finance isn’t the first. Just last month, the DeFi marketplace was infiltrated by attackers using the same flash loan attack vector. As reported by crypto.news, the malware exploit saw cybercriminals walk away with about $3 million in ETH and DAI coins.
Following the March 15 breach, Deus Finance DAO announced the shutdown of the DEI lending contract. The CEO of Deus protocol, Lafayette Tabor, then laid out a reimbursement plan that enabled affected users to repay their loans and reclaim liquidated funds.