Overview
Table of Contents
On May 5, 2023, Deus Finance, a project operating on the Ethereum Mainnet, Arbitrum, and BNB Chain, suffered a significant security breach due to an implementation error in the token contract, which allowed unauthorized burning and transfer of tokens.
The exploit resulted in a considerable loss of approximately $6.38 million spread across the three blockchain networks, marking a critical event in the project’s operation.
About Deus Finance
Deus Finance is a Decentralized Finance (DeFi) Protocol that serves as a peer-to-peer bilateral Over-The-Counter (OTC) infrastructure platform, facilitating the on-chain trading of digital derivatives, options, and swaps. Integral to its ecosystem is the stablecoin $DEI, which is employed as collateral for various third-party financial instruments within the platform.
Root Cause of the Hack
The fundamental vulnerability that precipitated the Deus Finance hack was a coding flaw within the $DEI token contract, specifically an error in the implementation of the token’s allowance mechanism.
This defect permitted an attacker to burn tokens from any holder’s account without requiring approval. The error occurred in the contract’s burnFrom function where the _allowances mapping order was erroneously flipped.
As a result, the exploiter could leverage their own allowance to authorize themselves to burn tokens from another user’s address. The erroneous line of code:
function burnFrom(address account, uint256 amount) public virtual
{
<br>uint256 currentAllowance = _allowances[_msgSender()][account];<br>_approve(account, _msgSender(), currentAllowance - amount);<br>_burn(account, amount);<br>
}allowed the attacker to manipulate the allowances and extract tokens, ultimately netting over $5 million from Arbitrum, about $1.3 million from BNB Chain, and $135,000 from Ethereum.
DEUS Contract Address (BSC): 0xDE5ed76E7c05eC5e4572CfC88d1ACEA165109E44
Attack Flow
The attack unfolded as follows:
- The attacker identified addresses with substantial $DEI holdings.
- Using their own allowance, they approved these addresses, then called
burnFromwith the victim’s address, setting the burn amount to zero. - The contract’s flawed logic erroneously granted the attacker full control over the victim’s tokens.
- The attacker then used the
transferFromfunction to move the victim’s tokens to their own address, making a substantial profit across multiple networks.
Attacker’s address (Arbitrum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Arbitrum): 0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef
Frontrunner address (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474
Example attack tx (BSC): 0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef
Attacker’s address (Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Ethereum): 0x6129dd42778345bc278822a7feadeacb933f5e56ce51114e686832ad239307a8
This critical oversight in the token contract’s allowance mechanism clearly illustrates the need for rigorous code audits and security practices in the DeFi space.
Stolen Fund Details
The stolen funds were distributed across multiple networks, with profits of over $5 million on Arbitrum, approximately $1.3 million on the BNB Chain, and roughly $135,000 on the Ethereum Mainnet.
As the vulnerability became public knowledge, some white-hats were able to step in and mitigate further damage.
On the BSC, the exploit was front-run, and an on-chain message indicated the intent to return the stolen funds to Deus Deployer.
Over $600k in USDC has been returned to a recovery multi-sig by another whitehats. Despite these efforts, questions remain about the trustworthiness of the thrice-hacked protocol and its ability to prevent future incidents.
The stolen funds were initially moved through various addresses, and some were returned following the hacker’s discussions with the Deus Finance team.
Hack Aftermath
Post-hack actions included:
- Cooperation with white hat hackers
- Contract operations paused
- Affected tokens burned to prevent further exploitation
- Snapshot of DEI balances taken for a recovery plan
- A bounty of 20% of recovered funds is offered to the hacker for returning the stolen assets
- A portion of funds successfully returned to the Deus team
The Deus V3 contract remained unaffected.
Details of Previous Hacks
Deus Finance has now fallen victim to hackers three times.
The first of these breaches transpired in March 2022, when a flash-loan exploit led to the theft of over $3 million in DAI and Ether.
A subsequent breach in April 2022 exacerbated the situation, with attackers draining close to $13.4 million, predominantly in Ethereum. The recurrence of such security lapses has cast a shadow over the protocol’s defensive mechanisms and raised serious concerns about its reliability.
With a history of being compromised multiple times, the trust in Deus Finance’s capacity to safeguard user funds has been significantly eroded, casting doubt on the protocol’s viability and security assurance moving forward.
Mitigation Steps for Similar Exploits
Such kind of exploits can be avoided by:
- The use of established libraries like OpenZeppelin’s ERC20Burnable could have prevented the hack.
- Implementation of detailed incident response plans is critical.
- DeFi projects should consider risk coverage protocols for added security.
Conclusion
The third hack of Deus Finance on May 5, 2023, attributable to a critical error in contract implementation, has had considerable repercussions, both financially and in terms of the confidence placed in the protocol’s security infrastructure.
It underscores the indispensable value of exhaustive testing and the implementation of robust security measures. In light of this, the role of professional, smart contract auditing firms, such as Immunebytes, becomes critically important. Immunebytes has established itself in preemptively identifying and mitigating such vulnerabilities through meticulous code audits and reinforcing security postures.
Incorporating risk management solutions, like those offered by Neptune Mutual, provides an additional layer of protection, helping to cushion the impact of any potential exploits. The path ahead for Deus Finance hinges on its commitment to fortify its systems and take decisive steps toward rebuilding the trust of its users.