Deus Finance DeFi protocol hacked for $6 million

The hacker drained $6 million from the Deus Finance DeFi protocol through a vulnerability in the algorithmic stablecoin DEI.

Hi @DeusDao: it appears to be a pubic burn vulnerability with loss > $1.3M alone at BSC. The ARB/ETH deployments are also affected.

The BSC hack was successfully frontrun by a bot: https://t.co/hXskQOIfwV

The DEI token @ BSC was upgraded on Apr-10-2023 https://t.co/QJHwnZaXMk pic.twitter.com/C51CnVsg1B

— PeckShield Inc. (@peckshield) May 5, 2023

According to PeckShield analysts, on May 5 the attacker exploited a vulnerability in the BNB Smart Chain (BSC) networks and Arbitrum.

The hacker launched a bot on BSC, which led to losses of more than $1.3 million. Afterwards he attacked Arbitrum — during the ARB/ETH deployment the hacker withdrew more than $5 million.

Protocol representatives confirmed the incident and said that smart contracts were paused. The project team also burned DEI tokens on affiliated chains to prevent further damage.

Update on DEI tokens security breach

Yesterday:
In response to the security breach, all contracts were paused, and DEI tokens on chains were burnt to prevent further damage

— DEUS (@DeusDao) May 6, 2023

Deus Finance took balance snapshots before the burn, to offer users a compensation plan once operations resume.

«Users are advised to remain patient and not interact with the current DEI contracts until a concrete repayment plan is available,» said project representatives.

The DEI stablecoin is used as collateral for external tools built on the Fantom protocol. In the wake of the hack, the asset’s price fell more than 30% — from $0.30 to $0.20. According to CoinMarketCap, as of writing DEI had somewhat recovered and was trading at about $0.26.

On May 15, 2022, DEI lost its peg to the US dollar amid the depegging of the UST stablecoin and the collapse of the Terra ecosystem.

In March the attacker attacked the Deus Finance DAO using flash loans. His proceeds amounted to about $3 million.

Subsequently the project was attacked again— the hacker withdrew assets from the smart contracts worth approximately $13.4 million.

According to a CertiK report, in April 2023 crypto projects lost $103.7 million due to exploits, hacks and exit scams. Year-to-date losses total $429.7 million.