Constant dollars

Over $13 million stolen from DeFi platform Deus Finance

Decentralized finance (DeFi) platform Deus Finance confirmed reports that an attacker used an illicit method to steal millions of dollars on Wednesday night.

Two blockchain security firms, PeckShield and CertiK, said Deus Finance had been hit by a variant of a “flash loan attack”. Flash lending attacks involve hackers borrowing funds that don’t require collateral, buying a significant amount of a cryptocurrency to artificially raise its price, and then dumping the coins. The loan is repaid and the borrower keeps any profit.

PeckShield said the attacker stole approximately $13.4 million worth of cryptocurrency, but noted that the platform’s actual losses may be greater. CertiK estimated the losses at 5,446 ETH, or approximately $15.7 million.

The Deus platform offers developers a way to build financial services and is made up of two different pieces: DEI and DEUS.

Blockchain data shows that the attacker took out a $143 million flash loan and bought 9.5 million DEI, Deus Finance’s stablecoin, which is pegged to the US dollar. This purchase increased DEI’s price, allowing the striker to repay the flash loan and bring in around $13 million.

Deus Finance did not respond to requests for comment, but early Thursday morning it posted brief statements on Twitter and Telegram saying no customers lost money in the attack.

“Please note that all user funds are safe and no users have been liquidated. The developers are still investigating the full extent of the situation and further details will follow soon,” said the people behind the project on Telegram.

On Twitter, they said no users had been liquidated and DEI loans had been temporarily halted.

A Deus Finance developer, tweeting from the @lafachief account, first confirmed that the attacker used a flash loan to manipulate the on-chain price.

“No user has lost any money, the loss is on protocol. Which we will cover through our veDEUS in the future. We are working with teams from CEX and other agencies to recover the funds. I will give you more details today,” the developer said.

The developer went on to claim that it was not actually a flash loan attack in the classic sense. It was “something more sophisticated” involving the abuse of a feature that would be removed in the next update, the developer said.

Later, the developer said that the hack possibly involved a zero-day exploit on crypto exchange Solidly.

While CertiK and PeckShield called it a flash loan attack, PeckShield later said @lafachief was correct that it was more complicated than the typical example.

It’s unclear where the $143 million loan came from, but flash loans are commonly available on a variety of Ethereum-based DeFi lending platforms like Aave and dYdX.

Blockchain data showed that the hacker sent the funds to Tornado Cash, a cryptocurrency mixer that allows people to hide the origin of funds.

PeckShield noted that Deus Finance was hit with another flash loan attack on March 15 in an incident that resulted in losses of approximately $3 million.

The creators of the DeFi platform are in a constant game of cat and mouse with hackers poring over their code and the functionality of their smart contracts to find vulnerabilities or errors that can be abused. Hackers also regularly use the price differences of coins found on different platforms to their advantage when deploying flash lending attacks.

Flash loan attacks have become one of the most popular ways for hackers to target DeFi platforms. Two weeks ago, hackers stole $11.2 million from Binance Coin on the DeFi Elephant Money platform.

Cream Finance was hit by three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February, and another $29 million in August.

Blockchain analytics firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021. Last month, the Ronin network reported that hackers stole more than $500 million of cryptocurrency, making it one of the biggest attacks ever.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.