Deus DAO has experienced a troubling series of events, resulting in substantial lossesfor token holders across Arbitrum, BSC, and Ethereum, with the DEI stablecoindepegging by over 80%. This recent incident marks the third entry on our leaderboard forDeus DAO, just over a year since its last appearance.
Interestingly, the previous instances occurred within FTM, the project's original platform,seemingly without any adverse effects. However, as DEI expanded onto other chains,vulnerabilities emerged.
Once the alarm was raised and the root cause identified, Deus acknowledged the hackand established a multisig address for whitehats to facilitate fund returns. Nevertheless,one cannot help but question the level of trust that can be placed in a protocol that has experienced three hacking incidents.
The breach was the result of a simple implementation error introduced during a recentupgrade to the DEI token contract. The misconfiguration of the burnFrom function led tothe incorrect ordering of the 'msgSender' and 'account' parameters within the contract.This unintentional mistake created a burn vulnerability, publicly exposing DEI holders tomanipulations by attackers who could gain control over approvals and transfer assetsto their own addresses.
Exploiting the mis-ordered parameters, attackers could set large token approvals for anyDEI holder's address. By subsequently burning 0 tokens from the address, the approvalwould be updated to the attacker's address, allowing them to drain the funds held by theunsuspecting token holder.
DEI exploit explained
1. Identify an address with a significant DEI balance.
2. Approve the identified address.
3. Call burnFrom with an amount of 0 and the approved address.
4. During the burn From process, all tokens from the address are approved for transfer to the attacker's address.
5. Call transfer From to initiate the transfer.
The attacker's addresses for the respective platforms are as follows:
Attacker's address (Arbitrum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Arbitrum): 0xb1141785...
Front runner address (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474
Example attack tx (BSC): 0xde2c8718...
Attacker's address (Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Example attack tx (Ethereum): 0x6129dd42...
According to BlockSec's MetaSleuth, the approximate losses incurred were $5 million on Arbitrum, $1.3 million on BSC, and $135,000 on Ethereum.
Fortunately, the exploit on BSC was front run, and an on-chain message to the Deus Deployer indicates the intention to return the funds. Additionally, proactive white hats have joined the effort, resulting in the recovery of over $600,000 in USDC to a designated recovery multisig.
However, concerns have arisen regarding the wisdom of returning funds to a protocol that has suffered multiple breaches due to seemingly trivial bugs. The act of returning rescued funds to a thrice-hacked protocol raises questions about the long-term viability and security of Deus DAO.
In an official update, Deus has outlined a recovery plan for affected users and has made efforts to engage with the attacker on-chain. Nevertheless, the fact that the attacker's account was initially funded through Tornado Cash on BSC casts a shadow of doubt on the prospects of a successful resolution.
The looming question remains: Will this series of events prove to be the final blow for Deus DAO?
The protocol now faces the challenge of rebuilding trust and demonstrating its resilience in the face of adversity. An official update promises a comprehensive recovery plan for those affected by the exploit, but the incident raises valid concerns about the protocol's future.
Returning funds to a thrice-hacked protocol may appear counterproductive, leading to doubts about the efficacy of such actions. The community and stakeholders will closely monitor how Deus DAO navigates through this critical period, assessing its ability to address security vulnerabilities and restore faith in its platform.
Ultimately, the fate of Deus DAO rests on its ability to learn from past mistakes, fortify its security measures, and regain the trust of its users. Only time will tell if Deus DAOcan overcome these challenges and emerge stronger, rebuilding its reputation as areliable and secure protocol in the decentralized finance landscape.
Note: The information provided in this article is based on the available data and reports at the time of writing and may be subject to updates and further developments.