April 28, 2022

DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

On April 28, 2022, according to Beosin EagleEye, DEUS Finance’s contract on Fantom was exploited for about 17,246,885 DEI ($16,989,217.23) by a flashloan attack. Beosin security team analyzed the incident and the findings are shown below.



DEUS Introduction

DEI is a lending platform contract of DEUS Finance, the world’s first decentralized bilateral OTC derivatives platform. The official website: https://deus.finance/



Relevant Information

Transaction hash:


0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5


Hacker address:


0x701428525cbac59dae7af833f19d9c3aaa2a37cb


Hacker contract:


0x1f56ccfe85dc55558603230d013e9f9bfe8e086c


Victim contract:


0x8d643d954798392403eea19db8108f595bb8b730



Exploitation Flow

  1. The attacker stakes about 0.92 sex-sAMM-USDC/DEI LP tokens to the victim contract in advance


2. The attacker obtains about 143.2 million USDC through multiple flashloans, then swaps for 9,547,716 DEI through USD/DEI pair contracts. Due to the large increase in the number of USDC in pair, the oracle was manipulated by the attacker to increase the price of the collateral sex-sAMM-USDC/DEI.



3. The attacker calls the DeiLenderSolidex.borrow function to borrow approximately 17,246,885 DEI using the collateral staked in step 1.




4. Swap the DEI for USDC and repay the flashloan.



Vulnerability Analysis

This attack mainly exploits the vulnerability that the oracle price is manipulated through the calculation of balance price, thus increasing the collateral value and eventually profit.



Fund Tracing

As of this writing, the stolen funds were bridging to the Ethereum address (0x701428525cbac59dae7af833f19d9c3aaa2a37cb), which then deposited into TornadoCash.



Summary

In response to this incident, Beosin security team recommends:


1. Use reliable TWAP for price calculation to reduce the risk of price manipulation.


2. Before the project goes live, it is highly recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.



More

1. Beosin Has Completed Security Audit Service of Crypto LEGO ALG


2. Beosin Has Completed Security Audit Service of TribeOne


3. Beosin Has Completed Security Audit Service of MasterChefV2 and cake-pool Contracts in PancakeSwap


4. VaaS — Automatic Detection Tool , Make Your Smart Contract Secure In Web3.0


5. How to Ensure the Security of NFT Under the Web 3.0 Boom?


6. How to quickly track assets laundered by Hacker’s Paradise-Tornado Cash?


If you have need any blockchain security services, please contact us:


Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS

    April 29, 2022

  • Beosin Has Completed Security Audit Service of MasterChefV2 and cake-pool Contracts in PancakeSwap

    April 28, 2022

  • VaaS — Automatic Detection Tool , Make Your Smart Contract Secure In Web3.0

    April 28, 2022

  • Beosin Has Completed Security Audit Service of SeasonSwap With No Issues Identified

    April 28, 2022

Join the community to discuss.