New Deus Finance Exploit Loses $13 Million
On Thursday, a multi-blockchain DeFi protocol called Deus Finance DAO was exploited using instant credit. The hacker took approximately $13.4 million.
According to the network, an unknown attacker carried out an exploit using flash credit at around 2:40 am UTC. Instant loans are loans taken with the requirement that the borrowed amount be repaid in the same block. This was made possible thanks to smart contracts.
While flash loans are designed for arbitrage trading and capital efficiency, they are being abused by hackers to manipulate DeFi price data streams known as oracles and execute exploits.
According to blockchain security firm PeckShield, a Deus hacker took out a flash loan to manipulate a price oracle in one of its Fantom (FTM) liquidity pools , using a token called DEI linked to the USDC stablecoin .
In today’s incident, quick loan manipulation resulted in a significant increase in the price of DEI, PeckShield explained in a post. This inflated DEI value was then used as collateral to borrow additional capital in the same term loan transaction.
This additional borrowed capital was sold for the USDC stablecoin, after which the hacker repaid the fast loan, receiving about $13.4 million. The perpetrator then moved the used funds from Fantom to Ethereum, where he routed them to Tornado Cash (TORN) , a mixing protocol used to obfuscate Ethereum transactions.
In response to today’s incident , Deus Finance (DEUS) announced that it has stopped lending to exploited DEI tokens. She also stated that “user funds are safe” and more details will be released at a later date.
This was not the first security incident for Deus Finance. The protocol also lost $3 million last month due to an instant loan exploit. The incident added fuel to the debate about instant loans and the potential risk they pose to DeFi protocols.