The DeFi protocol Deus Finance DAO has again come under attack. According to PeckShield, the attacker drained assets worth about $13.4 million from the smart contracts, though the project “could have suffered more.”
The @DeusDao was exploited today in https://t.co/USKNHhXeid with ~$13.4M gain for the hacker (The protocol loss may be larger).
— PeckShield Inc. (@peckshield) April 28, 2022
In March 2022, an unknown exfiltrated around $3 million, including 200,000 DAI and 1,101.8 ETH. To do so he used instant loans — the assets obtained in this way allowed the hacker to manipulate the price oracle that determines the price in the USDC/DEI pair.
Analysts said a similar attack vector was used on April 28.
3/ To illustrate, we use the hack tx and show the key steps below: pic.twitter.com/JyhgYpBmoB
— PeckShield Inc. (@peckshield) April 28, 2022
“The hack was made possible by manipulating the price oracle that reads data from the USDC/DEI pair, using a flash loan. The manipulated DEI collateral price was then used to borrow and drain the pool. Sounds familiar?”, — PeckShield.
The team noted that initializing the attack required 800 ETH (about $2.31 million). The funds were moved through the Tornado Cash mixer and sent to the Fantom network via the cross-chain protocol Multichain. The stolen assets were converted back into Ethereum.
4/ The initial funds (~800 ETH) to launch the hack are withdrawn from @TornadoCash and tunneled to Fantom via @MultichainOrg. The stolen funds are tunneled back to @ethereum and stay in the hacker’s account https://t.co/crqRXRVuRw. pic.twitter.com/eaa8j5lxtK
— PeckShield Inc. (@peckshield) April 28, 2022
According to CoinGecko, the incident caused the algorithmic stablecoin DEI to temporarily lose its peg to the US dollar. At one point the asset traded as low as $0.95.
The Deus Finance DAO team confirmed the hack. The developers said user funds are safe and that their positions were not liquidated. DEI lending has been halted, and the stablecoin’s peg to the dollar has been restored.
The dev team is working on the DEI situation.
1. User funds are safe. No users were liquidated.
2. DEI lending has been temporarily halted.
3. $DEI peg has been restored.More details to follow.
— DEUS Finance DAO (@DeusDao) April 28, 2022
In the wake of the hack, the protocol’s native token DEUS fell by nearly 16%. At the time of writing, the asset was trading near 510 FTM (around $504).
In April, the Ethereum-based Beanstalk Farms lost more than $181m in cryptocurrencies due to a hack.