- Cybercriminals made away with more than $13.4 million of cryptocurrency
- The attacker deceived Deus' smart contracts into reading data incorrectly on the platform's liquidity pools
- They used a flash loan to inflate the price of some assets artificially
DeFi application Deus Finance was exploited for the second time in two months. Early this morning, the cybercriminals made away with more than $13.4 million of cryptocurrency, according to security researchers at PeckShield. The attack took place on the Fantom Network, CoinDesk reported.
The Mechanism of the Attack
The attacker deceived Deus' smart contracts into reading data incorrectly on the platform's liquidity pools. They used a flash loan to inflate the price of some assets artificially, borrowed money, and made a profit after loan repayment.
The flash loan was in the approximate amount of $143 million, blockchain data show. While the attacker's profit was $13.4 million, the protocol's total losses are far greater, according to PeckShield.
In March, the protocol was attacked in a similar way. At that time, Deus lost $3 million.
The Deus Ecosystem
There are two tokens in the ecosystem: DEUS and DEI. The platform's governance token is DEUS. You burn DEUS by minting DEI, a stablecoin with a 1:1 peg to the U.S. dollar. You mint DEUS by redeeming DEI.
Using the flash loan, Deus' hackers could temporarily manipulate the prices of DEI and USD Coin (USDC), another stablecoin, and used these prices to borrow funds and drain the liquidity pool.
Flash Loans Clarified
With a flash loan, you can take out a loan in any amount without providing any collateral. The catch is that you have to repay the loan before the end of the transaction. If you don't, the smart contract reverses it as if there was never any loan.
Liquidity pools rely on oracles like Chainlink to make sure the prices of the assets in the pool are correct. Oracles also ensure no loan exceeds the total value of the pool. In Deus' case, the pool was in USDC and DEI.
Oracles are needed because blockchains cannot verify the accuracy of data, only store it.
Hackers took loan of 143M USDC, swapped 9.5M DEI
Yesterday, the hackers used a flash loan of over 143 million USDC to swap 9.5 million DEI, according to PeckShield. As a result, the price of 1 DEI rose above $1. They used 71,000 DEI to borrow over 17.2M using the manipulated prices, repaid the flash loan, and made away with $13.4 million.
DEUS prices plummeted thereafter. At the time of writing, the price of DEUS was $583.67, with a 24-hour trading volume of just over $8 million. The token has lost 7.77% in the last 24 hours.
Contributors
