A multi-chain DeFi protocol called Deus Finance DAO suffered a flash loan exploit on Thursday, with the hacker making off with about $13.4 million.
The unknown perpetrator carried out the exploit using a flash loan at around 2:40 AM UTC, according to on-chain data. Flash loans are loans taken out with a requirement that the borrowed sum be returned in the same transaction. These are made possible with smart contracts.
While flash loans are meant for arbitrage trading and improving capital efficiency, hackers have abused them to manipulate DeFi price data feeds — known as oracles — and carry out exploits.
According to blockchain security firm PeckShield, the Deus hacker took a flash loan to manipulate the price oracle within one of its liquidity pools on Fantom, involving a token called DEI paired against the USDC stablecoin.
In today's incident, the flash-loan assisted manipulation caused DEI's price to increase a lot, PeckShield explained in a post. This inflated value of DEI was then used as collateral to borrow additional capital, within the same flash loan transaction.
This additional borrowed capital was sold for USDC stablecoin, after which the hacker repaid the flash loan — netting about $13.4 million. The culprit then moved the exploited funds from Fantom to Ethereum, where they routed them through Tornado Cash, a mixing protocol used to obfuscate Ethereum transactions.
In response to today's incident, Deus Finance said it halted lending of the exploited DEI tokens. It further claimed that "user funds are safe" and more details will follow later.
This wasn't the first security incident for Deus Finance. The protocol lost $3 million to a flash loan exploit last month too. The incident added to the debate around flash loans and the potential risk they pose to DeFi protocols.