Deus Finance, a prominent decentralized finance (DeFi) platform, recently faced its third major security breach. This led to a significant loss of approximately $6.5 million across multiple networks, including Arbitrum, BSC, and Ethereum. Additionally, the DEI stablecoin, serving as collateral for third-party tools on the Fantom protocol, experienced a drastic drop of over 80% in its pegged value. The recurrence of such incidents has sparked concerns about the platform’s reliability and security, as hackers specifically targeted the Deus DAO for the third time.
How the Hack Went Down
The attacker executed a well-planned strategy, initially identifying an address holding a substantial amount of DEI tokens. Subsequently, they approved a considerable token allowance for that particular DEI holder’s address. By exploiting a vulnerability resulting from misordered parameters in the “burnFrom” function, the attacker manipulated the amount to 0 and specified the target address. This allowed them to change the approval to their address and drain the funds from the DEI holder’s account. Finally, they utilized the “transferFrom” function to successfully transfer the stolen funds to their address, effectively completing the attack.
The attacker specifically targeted the Arbitrum network, Binance Smart Chain (BSC), and Ethereum network, resulting in losses of approximately $5 million on Arbitrum, $1.3 million on BSC, and $135k on Ethereum.
As news of the vulnerability spread, ethical hackers intervened to minimize further damage. The exploit was preempted on the BSC, and an on-chain message conveyed the intention to return the stolen funds to the Deus Deployer. Other ethical hackers have already returned over $600k in USDC to a recovery multi-sig. Despite these efforts, concerns persist regarding the protocol’s reliability and ability to prevent future attacks.
Deus Finance’s Response
Deus Finance promptly acknowledged the hack and took steps to address the situation. They established a multi-sig address to facilitate the return of funds by ethical hackers. Additionally, the platform initiated discussions on a recovery plan to assist affected users and engaged with the attacker through on-chain communication. However, due to the initial funding of the account via Tornado Cash on BSC, the chances of recovering the funds appear slim.
History of Hacks and Uncertain Future
This recent breach marks the third instance in which Deus Finance has fallen victim to hacking incidents. In March 2022, the platform suffered a flash-loan attack resulting in losses exceeding $3 million in Dai and Ether. Another attack occurred in April 2022, leading to nearly $13.4 million in losses, predominantly in Ethereum.
The repeated occurrences of such security breaches raise concerns about the adequacy of Deus Finance’s security measures and practices. Consequently, investors and users are likely to exercise caution when considering the platform as a trusted safeguard for their assets. As a result, the future of Deus Finance remains uncertain, necessitating substantial efforts to restore confidence in the platform’s security and integrity.