Deus Finance DAO suffers $3 million flash loan attack

Quick Take

  • The attacker used flash loans to manipulate the price oracle for one of the project’s stablecoin lending contracts.
  • The exploit fetched the attacker about $3 million that has been laundered via Tornado Cash.

Multi-chain DeFi protocol Deus Finance DAO has become the latest victim of a flash loan exploit, adding to the controversy surrounding flash loans and the potential danger they pose to DeFi protocols.

The attacker reportedly earned about $3 million from the attack. Despite the attack, the Deus Finance team says funds are safe and that it will publish a post-mortem in due course.

Details of the hack

According to blockchain security outfit PeckShield, the attacker used flash loans to carry out the attack. Flash loans are popular in the DeFi space as they allow users to borrow huge amounts of crypto without collateral — and at a relatively low cost — but require the loan to be repaid within the same transaction.

The exploit targeted the project’s stablecoin lending contract. The borrowed cash was used to manipulate the price oracle — a tool that provides price information to the blockchain — for the USD Coin/DEI (USDC/DEI) stablecoin trading pair.

By manipulating the price oracle, the attacker caused the lending positions of some users to become insolvent. The attacker then repaid the loans but still made away with about $3 million worth of DEI as profit. DEI is an algorithmic stablecoin in the Deus ecosystem.

Following the flash loan exploit, the attacker proceeded to launder the proceeds from the attack via Tornado Cash. Data from Etherscan show about 1,180 ETH ($2.9 million) has already been washed via Tornado Cash.

Downplaying the incident

Following the attack, Deus Finance stated that the tokens are unaffected but that it has paused the lending contract targeted by the exploit and will carry out a comprehensive review of the matter.

The team promised to refund users liquidated by the flash loan attack. But it maintained that the incident did not lead to “an ecosystem wide exploit.”

DEUS, the project’s native coin initially suffered a 44% slump against Fantom (FTM) — the pair with the largest trading volume — following the news of the attack. The coin’s price has since posted a significant recovery and is up almost 20% in the last hour as of the time of writing.


© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.