How Deus Finance Was Exploited for $13.4M
Decentralized finance (DeFi) application Deus Finance was exploited for the second time in a space of two months. The attackers were able to obtain over $13.4 million worth of cryptocurrency in early Asian hours today, according to security researchers at PeckShield. The exploit occurred on the Fantom Network. After numerous reports from PeckShield, the team behind the Fantom Network was able to identify and mitigate the exploitation.however, there have been concerns about the usability of DeFi protocols because of their susceptibility to attacks such as these in which a large amount of cryptocurrency is lost. The fact that this isn’t an isolated incident should also be cause for concern
Deus Finance is a DeFi protocol built on the Fantom Network. It allows users to earn interest on their cryptocurrency holdings by staking them in the protocol. The interest rates are variable and depend on the amount of currency that is staked. Deus Finance allows developers to build financial services such as futures trading, lending, and options on its platform.
The attackers were able to exploit a flaw in the Deus Finance protocol and mint new tokens without having to stake any. The attack used a flash loan to trick the way Deus’ smart contracts read data on the platform’s liquidity pools. This allowed the attacker to artificially inflate the value of some assets, borrow funds and make a profit after repaying the loan.
Some $143 million were borrowed as a flash loan, blockchain data appear to show. The hacker was able to make a profit of $13.4 million. PeckShield said the total losses to the protocol could be much higher.
Using the flash loan, Deus’ attackers were able to temporarily manipulate prices on a liquidity pool consisting of the USD Coin (USDC) stablecoin and DEI, and use the manipulated DEI price to borrow and drain the pool. The attacker then reportedly repaid the loan using USDC, before withdrawing both USDC and DEI.
Flash loans allow DeFi users to take out loans against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed.
The news of the hack sent shockwaves through the DeFi community, with some users pointing fingers at the audit firm Certik, which had audited Deus’ smart contracts. However, in a statement released today, Certik said it had utilized a third-party software auditing tool that wasn’t able to detect the issue.
Certik has said that it will now conduct additional audits, improve its current process and work with other smart contracts auditors to establish best practices for automated contract security testing. At the time of writing, it remains unclear who is behind this attack.
This is not the first time that a flash loan has been used to exploit a DeFi protocol. In February, an attacker used a flash loan to exploit Compound, another DeFi protocol where users can earn interest on their crypto assets. As a result of the exploit, $13.4 million was stolen from Deus Finance. Even though the attack happened in 2020, it is only now that the team behind Deus Finance has disclosed its details as they were working to restore all funds lost
The Deus team says it has already fixed the issue and is working on recovering the funds. It has also halted all trading on the platform while it conducts a full audit