DEUS Finance

Quick Summary

Deus Finance was exploited due to a logic flaw in the $DEI token contract. The attacker drained pools on both Arbitrum and Binance
Smart Chain (BSC) chains resulting in a loss of 6,227,977 $USD.




Details of the Exploit

DEI is a stablecoin of Deus Finance which lost its dollar peg on the previous hack. On May 5th, 2023 Deus Finance's $DEI token was
exploited due to a logic flaw related to burn issue that allowed an attacker to drain DEI/USD and DEI/USDC pools on both Arbitrum
and Binance Smart Chain (BSC) chains. The attacker performed zero-amount burns and received $DEI tokens for nothing, which was
consequently swapped for valuable stablecoins. On BSC chain alone roughly 1,336,814 $USD was lost. The stolen funds were
transferred through several EOA addresses and then swapped for $DAI. And 4,891,163 $USD were drained from the Arbitrum chain and
swapped for 2,529 $ETH, which remain at the same address.

The attack resulted in a total loss of approximately 6,227,977 $USD worth of crypto assets from both chains combined.




Block Data Reference

Attacker initial address in BSC: https://bscscan.com/address/0x08e80ecb146dc0b835cf3d6c48da97556998f599




Funds holder address in BSC: https://bscscan.com/address/0xdf61022837de1126488ed80f179eedd7af9cb465




Malicious transaction in Binance Smart Chain:
https://bscscan.com/tx/0xde2c8718a9efd8db0eaf9d8141089a22a89bca7d1415d04c05ba107dc1a190c3




Attacker initial address in the Arbitrum chain: https://arbiscan.io/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1




Malicious transaction in the Arbitrum chain:
https://arbiscan.io/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef

Quick Summary

DEUS Finance was exploited through flash loan and oracle manipulation, resulting in a significant loss.




Details of the Exploit

The attacker initiated the exploit by flash loaning 143.2m USDC, which was then swapped to 9.5m DEI via sAMM-USDC/DEI_USDC-DEI,
causing an increase in DEI price. 71k DEI was used as collateral to borrow 17.2k DEI from DeiLenderSolidex, and the flash loan was
repaid. The attacker was initially funded via Multichain, with the origin of funds coming from an Ethereum address. After the
attack, the profit was deposited back to the same Ethereum address.




Block Data Reference

The attacker's address:

https://ftmscan.com/address/0x701428525cbac59dae7af833f19d9c3aaa2a37cb

The transaction behind the attack:

https://ftmscan.com/tx/0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5

The Ethereum address where the funds originated and were returned:

https://etherscan.io/address/0x701428525cbac59dae7af833f19d9c3aaa2a37cb

The Tornado Cash mixer where the stolen funds were deposited:

https://bloxy.info/txs/transfers_from/0x701428525cbac59dae7af833f19d9c3aaa2a37cb?currency_id=1

The attacker's address:
https://ftmscan.com/address/0x1ed5112b32486840071b7cdd2584ded2c66198dd

The transaction behind the attack:
https://ftmscan.com/tx/0xe374495036fac18aa5b1a497a17e70f256c4d3d416dd1408c026f3f5c70a3a9c

The hack is made possible due to the flash loan-assisted manipulation of the price oracle that takes the price from the pair of
StableV1 AMM - USDC/DEI.

The attacker:
- flash loaned 9,739342 DEI via SPIRIT-LP_USDC_DEI

- flash loaded 24,772,798 DEI out of the sAMM-USDC/DEI pair (used as price oracle to calculate the collateral value)

- liquidated users

- repaid the borrowed 24,772,798 DEI to the sAMM-USDC/DEI pair

- burnt the liquidated LP token to get 5,218,173 USDC + 5,246,603 DEI

- swapped 5,218,173 USDC to 5,170,594 DEI

- repaid the flash loan with 3,001,552 DEI as hack profit.

The attack profit was bridged via Multichain to Ethereum:
https://ftmscan.com/tx/0x09dc3a1afd1dae211c31d7ad4b5cd6f68c9350727fa5d4c7c63efb9d287e3210

Then funds were deposited into Tornado Cash mixer to hide traces:
https://etherscan.io/address/0x1ed5112b32486840071b7cdd2584ded2c66198dd