DeFi infrastructure protocol DEUS Finance has suffered yet another flash loan exploit, according to blockchain security and data analytics company PeckShield. The latter tweeted on April 28 that the protocol had lost at least $13.4 million. It notes that the actual theft may be larger.
The hacker manipulated the price oracle reading from the USDC/DEI pair. They then used the manipulated price of DEI to borrow and drain the pool.
DEUS Finance has experienced flash loan exploits before, losing approximately $3 million in an attack on March 14. On that occasion, the protocol lost 200,000 DAI and over 1,108 ETH. Both attacks — the latest attack and the one in March — used the same technique.
The funds have been sent through Tornado Cash, which makes it hard to trace the funds. It has been sent to this Ethereum address, and the blockchain data shows it being routed through Tornado Cash.
The team has commented on the incident, saying that the developers are working on it. They state that user funds are safe, and no users were liquidated. The DEI peg has been restored, and DEI lending has been suspended.
These incidents will do DEUS Finance no assistance, especially given that it’s the second kind of attack in just over a month. Flash loan exploits are among the most common types of attacks in the market, more of which can be expected in the future.
The DeFi space has always been prey for hackers, as it sees a lot of capital inflow, as well as new investors who lack the acumen to invest in the space safely.
Sometimes, it is a development mistake, as in the case of the Wormhole bridge hack, which resulted in $321 million stolen — the biggest hack of 2022. Other times, it is a rug pull that attracts new investors who are looking to make a profit quickly.
As such, teams are now paying more attention to audits and ensuring airtight security. Bug bounties and insurance programs are other areas that are also seeing strong growth.