Deus Finance Suffers $3M Oracle Exploit

Deus Finance has recently announced it would close its DEI lending contract following a price oracle exploit. The twitter announcement, also said both of the protocol’s native tokens, $DEUS and $DEI, were unaffected.

The DeFi protocol has been hacked for a total value of $3 million. According to a separate tweet from Peckshield, the hack could potentially result in wider losses for the protocol (including 200,000 DAI and 1101.8 ETH).

Oracle Manipulation

Deus Finance has confirmed an exploit involving the manipulation of its oracle, Muon. It also announced closure of its DEI lending contract following the oracle exploit.

The exploit was conducted using a flash loan, a mechanism that allows users to borrow and return a specific amount of funds within the same smart contract function. Flash Loans are mainly used to take advantage of arbitrage opportunities involving the difference in price of one token in various DeFi protocols.

Deus Finance relies on an oracle called Muon to provide offchain data to its smart contracts. In this case, the flash loan has managed to manipulate the oracle that updates the price from the USDC/DEI pools in Solidly and Spirit. The attack has caused a depeg between the token pair, resulting in a cascade of liquidations and users becoming insolvent. At the same time, the unknown exploiter used TornadoCash, a protocol that helps obfuscate smart contract transactions and make traceability more difficult, after bridging the funds in and out of the Fantom chain.

The full transaction execution can be seen here.

According to the project’s website, Deus Finance Evolution is a DeFi platform that provides open source infrastructure allowing third parties to build financial instruments such as synthetic stock, options, and prediction market trading platforms.

The project is compatible with the Fantom, Ethereum, Polygon and Avalanche blockchains, among others, and uses the native token DEI, a cross-chain stablecoin that allows users to send a stablecoin to any compatible chain and claim it on the other side with zero slippage. DEI is also utilized as the collateral mechanism for all third-party applications built on Deus.

A core developer of the protocol has tweeted a reimbursement notice assuring that the team is working on fixing the issue, and will be reimbursing everyone affected by the exploit via a smart contract. This solution will allow affected users to recover their losses. The reimbursement will be paid through the team’s personal and DEUS DAO funds.

In addition, Lafayette Tabor (the core developer mentioned above) has published a post mortem in his Medium channel stating that the team would take some actions following the hack:

“Your funds and our system are safe, we deactivated all affected contracts and have been in contact with MUON to upgrade our oracles immediately to mitigate further risks for future implementations, we also contacted some security researchers to take a look at our architecture.”

The hack happened just over a week after prominent DeFi developers Anton Nell and Andre Cronje made the controversial decision to stop contributing in the crypto space. Much of Cronje’s work was related to projects in the Fantom ecosystem. Since the announcement Fantom token has dropped 40% and is currently trading at $1.08, down 68.8% from its $3.46 all-time high in Oct. 2021.

In response to the tweet from Anton Nell on March 6th (announcing departure from the crypto space) Deus Finance announced its intention of capturing some of the NFT space market share by building a money market on top of the veNFT so users could hold liquid positions against their NFTs,  borrow against, and sell them in the market.

Deus has had a noticeable price action since inception at the start of Oct. 2021. In the last 60 days the price has risen 1,267%. It’s all time low was $23.58 and it is currently sitting at $425.

Disclosure: At the time of writing, the author of this piece owned ETH, and several other cryptocurrencies.