More than $13 million stolen from DeFi platform Deus Finance

Decentralized finance (DeFi) platform Deus Finance confirmed reports that an attacker used an illicit method to steal millions of dollars on Wednesday evening. 

Two blockchain security firms, PeckShield and CertiK, said Deus Finance was hit with a variation of a “flash loan attack.” Flash loan attacks involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins. The loan is paid back and the borrower keeps any profit.  

PeckShield said the attacker stole about $13.4 million worth of cryptocurrency but noted that the platform’s actual losses may be larger. CertiK put the losses at 5,446 ETH, or about $15.7 million

The Deus platform gives developers a way to create financial services and is made up of two different coins: DEI and DEUS.

Blockchain data shows that the attacker took out $143 million in a flash loan and bought 9.5 million DEI, Deus Finance’s stablecoin, which is pegged to the U.S. dollar. That purchase raised the price of DEI, allowing the attacker to pay the flash loan back and net about $13 million.

Deus Finance did not respond to requests for comment, but early on Thursday morning, it released brief statements on Twitter and Telegram claiming no customers lost money during the attack. 

“Please note that all user funds are safe and that no users were liquidated. The devs are still investigating the full scope of the situation and further details will follow soon,” the people behind the project said on Telegram.

On Twitter, they said no users were liquidated and DEI lending was halted temporarily. 

A developer with Deus Finance, tweeting from the account @lafachief, initially confirmed that the attacker used a flash loan to manipulate the on-chain price.

“No user lost any money, the loss is on the protocol. Which we will cover through our veDEUS going forward. We are working together with Teams from CEXs and other agencies to recover the funds. I will work out more details for you today,” the developer said.

The developer went on to claim that it was not actually a flash loan attack in the classic sense. It was “something more sophisticated” involving the abuse of a feature that would be removed in the next update, the developer said.

Later, the developer said the hack may have involved a zero-day exploit on the Solidly crypto exchange platform.

While both CertiK and PeckShield called it a flash loan attack, PeckShield later said @lafachief was correct in saying that it was more complicated than the typical example. 

It’s unclear where the $143 million loan came from, but flash loans are typically available on a variety of Ethereum-based DeFi lending platforms like Aave and dYdX.

Blockchain data showed the hacker sent the funds to Tornado Cash, a cryptocurrency mixer that allows people to hide the origin of funds.

PeckShield noted that Deus Finance was hit with another flash loan attack on March 15 in an incident that led to about $3 million in losses. 

DeFi platform creators are in a constant game of cat-and-mouse with hackers who pore over their code and the functionality of their smart contracts in order to find vulnerabilities or mistakes that can be abused. Hackers also routinely use the price differences for coins found on different platforms to their advantage when deploying flash loan attacks.

Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. Two weeks ago, hackers stole $11.2 million worth of Binance Coin from DeFi platform Elephant Money. 

Cream Finance was hit with three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February and another $29 million in August.

Blockchain analysis firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021. Last month, the Ronin Network announced that hackers stole more than $500 million worth of cryptocurrency, making it one of the largest attacks ever. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.