Deus Finance Hacked: $3 Million stolen after oracle exploit

Yet another DeFi attack has delivered a $3M payday to an attacker. This time a Deus Finance hack has seen an attacker take off with over $3 Million in crypto, with the attacker managing to siphon off both Ethereum and DAI stablecoins from the over-the-counter (OTC) derivatives platform.

A minimum of 200,000 DAI and over 1100 ETH were stolen by the hacker, who managed to pull off the attack my manipulating a price oracle, meaning that normal users of the service suddenly found themselves insolvent too.

How the Deus Finance Hack happened:

Security firm Peckshield explained how the attacker exploited a price oracle to pull off the heist.

1/ @deusdao Deus Finance was exploited in https://t.co/bfYCQcz5rZ, leading to the gain of ~$3M for the hacker (The protocol loss may be larger), including 200,000 DAI and 1101.8 ETH
— PeckShield Inc. (@peckshield) March 15, 2022

2/ The hack is made possible due to the flashloan-assisted manipulation of price oracle that reads the price from the pair of StableV1 AMM – USDC/DEI, so that even normal users unfortunately become insolvent! pic.twitter.com/kiG7rUAM96
— PeckShield Inc. (@peckshield) March 15, 2022

3/ To illustrate, we use the hack tx and show the key steps below pic.twitter.com/muDTgyquQ0
— PeckShield Inc. (@peckshield) March 15, 2022

4) The initial funds to launch the hack are withdrawn from @TornadoCash and tunneled to Fantom via @MultichainOrg. The result gains are tunneled via @MultichainOrg and funds are now washed via @TornadoCash. pic.twitter.com/UlJgiJMsa6
— PeckShield Inc. (@peckshield) March 15, 2022

This post will be updated as we get further information.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.