Deus Finance Hacked AGAIN - Losses Total Over $16.5 Million
All these DeFi hacks are looking a little sus to me...
Deus Finance's 2nd Hack in 2 months
I feel like it was just yesterday that I was reading about how $3 million was stolen from Deus Finance. It's funny because it might as well have been yesterday. This was only a month ago. Basically, a hacker was able to use a flash loan attach to exploit the contract that runs the protocol to siphon out $3 million. If you're not familiar with the term flash loan, check out this article from CoinDesk. Flash loans are uncollateralized crypto loans that are issued and paid back all within one single transaction. This is a controversial thing for many reasons, but it does actually have use-cases. Maybe we can talk about that in another post.
Fast forward only one month later to yesterday, and we are seeing the same exact thing happen again. Deus Finance was exploited once again, but this time for $13.4 million via yet another flash loan attack. You'd think that they would have re-worked the smart contract to avoid this happening again. The least they could have done was get a fresh audit and fix the issues.
Here's how this played out.
Keep in mind - this is all done in one single transaction so your average Joe isn't gunna be doing flash loan attacks. This is well thought out and very planned.
First - the flash loan itself is issued for $143 million USDC. Then that 143 million USDC is swapped on the market for 9.5 million DEI (the Deus Finance "stable coin"). This causes the price of DEI to be extremely high in comparison to where it should be. 71,436 DEI is used as collateral to borrow 17.2 million DEI (due to the highly manipulated price from the swap). Then the loan is repaid netting the attacker $13.4 million.
That's pretty damn slick if you ask me. The attacker literally used the loan to sweep the order books and inflate the price of DEI to borrow more than they should have been able to. Tricking the system into emptying its protocol liquidity. Oof.
Here's what the actual transaction looks like.
Immediately after the loan closed and the profit was sitting in the attacker's wallet, funds were siphoned out to Tornado cash in chunks of 100 ETH. What the attacker is doing is trying to obfuscate the trail of where the stolen funds are going by using a mixing service.
Since we all know the blockchain doesn't lie, it's often easy to trace where funds are going to an extent. With the use of mixing services like Tornado Cash, though, it becomes much more difficult. The longer the funds sit in Tornado, the harder it becomes to trace them. Who knows how long the attacker is willing to wait. If it were me, I'd forget about it for as long as possible.
It's going to be very difficult to identify the attacker but supposedly they have identified the attacker's Binance account. Rookie mistake using an exchange that makes you do know your customer verification. If it truly is the attacker's account, they have their name, address, ID and everything necessary to pursue legal action. I sincerely hope they do.
Don't let us down, Cyber Action Fraud Police of England. We're counting on you. This is why it's always important to do your research before using a DeFi platform. Could the same thing be done to other platforms? Probably. This is why it's of the utmost importance to check the smart contracts for potential bugs with a fine-toothed comb.
This attack could have been avoided if the price oracle for DEI was able to gather price data in a different way. Don't ask me how - I'm not a dev. Either way though....
Stay safe out there frens, it's the wild west in crypto land.
Thanks for reading! Much love.
Links 'n Shit
Play to Earn | Read emails, Earn Crypto | Get free crypto every day | Get a WAX wallet |
---|---|---|---|
Gods Unchained | ListNerds | PipeFlare | WAX.io |
Splinterlands | GoodDollar | ||
Rising Star | FoldApp |
Posted Using LeoFinance Beta
Is it that easy to hack these platforms that manage millions of dollars? I'm really having trouble understanding this. It's really hard to believe that someone from the outside hacked it.
Posted Using LeoFinance Beta
My thoughts exactly, but after looking at the contract code.... The sad truth it that it is that easy to attack Deus in particular.
Posted Using LeoFinance Beta
I don't know much about this, but I think there should be someone checking them out. This type of hacking hurts the crypto market.
Posted Using LeoFinance Beta
If they wanted to be secure, they would be. This is just reckless.
Posted Using LeoFinance Beta
https://twitter.com/LeoAlpha2021/status/1520162202933620736
The rewards earned on this comment will go directly to the person sharing the post on Twitter as long as they are registered with @poshtoken. Sign up at https://hiveposh.com.
They reported it to Action Fraud. That's a general UK fraud reporting service which includes cyber crime in it's portfolio. It avoids the need for humans to get involved.
Unless the filtering system works purely on value or prioritises cyber crime over the many other types of fraud, I am not hopeful it'll go anywhere. My experience of dealing with them is that it's mostly just useful as a way to generate a crime number to give to the insurance company, and that nothing is ever actually investigated. Perhaps they will be luckier than I have been.....
Wow, that's actually really shitty. I thought it was an organization that would actually investigate.
Posted Using LeoFinance Beta
Yeah, it's sad. I think the problem is that there is so much fraud now that the police couldn't cope with the volume. Most of it is small-scale - 419 scam emails, fraudulent online non-delivery claims etc. So they created Action Fraud as a way to record all the crimes, then identify the ones where they had the best chance of a successful investigation and conviction.
It kind of makes sense, until you realise that cyber crime is one of the hardest to investigate for your average policeman, and if it originates internationally it is orders of magnitude harder without co-operation from Interpol and other nations police.
But with numbers in the millions of dollars, I suspect they might be more interested than when I report a £50 fraudulent non-delivery claim !
Wow. Very eye-opening!
Posted Using LeoFinance Beta
It honestly baffles me that Flash Loans became something desirable given the massive downside that keeps cropping up. Their sole purpose seems to be facilitating the generation of profits in a very short period of time, and I can't see how this ends up being useful to the crypto community in the long-term with respect to the average user. It feels like (risky) complex instruments being introduced to the stock market all over again :S
Thanks for taking the time to walk through the details of this latest hack, though :)
!1UP
Yeah, flash loans are very interesting, and can actually be useful. Leave it to us humans to find a way to ruin everything though. Lol
Posted Using LeoFinance Beta
You have received a 1UP from @entrepidus!
@leo-curator, @stem-curator, @vyb-curator, @pob-curator, @neoxag-curator, @pal-curator
And they will bring !PIZZA 🍕
Learn more about our delegation service to earn daily rewards. Join the family on Discord.
Yay! 🤗
Your content has been boosted with Ecency Points, by @l337m45732.
Use Ecency daily to boost your growth on platform!
Support Ecency
Vote for new Proposal
Delegate HP and earn more