How Deus Finance Was Exploited for $13.4M on Fantom

The attack, which used a flash loan, was the second in two months.

AccessTimeIconApr 28, 2022 at 8:13 a.m. UTC
Updated Apr 9, 2024 at 11:48 p.m. UTC

Decentralized finance (DeFi) application Deus Finance was exploited for the second time in two months, with the attacker gaining more than $13.4 million of cryptocurrency in early Asian hours today, security researchers at PeckShield said in a tweet. The exploit occurred on the Fantom Network.

  • Deus allows developers to build financial services such as futures trading, lending and options on its platform. (Disclosure: The writer of this report is a liquidity provider for Deus on Ethereum, Fantom and BNB Chain.)
  • The attacker used a flash loan to trick the way Deus's smart contracts read data on the platform’s liquidity pools. This allowed the attacker to artificially inflate the value of some assets, borrow funds and make a profit after repaying the loan.
  • Some $143 million were borrowed as a flash loan, blockchain data appear to show. The hacker was able to make a profit of $13.4 million. PeckShield said the total losses to the protocol could be much higher.
  • The Deus ecosystem comprises two tokens: DEUS and DEI. DEUS is the governance token on the platform. Minting DEI, a stablecoin pegged 1:1 to the U.S. dollar, burns DEUS, and redeeming DEI mints DEUS, according to developer documents.
  • Thursday’s exploit was the second in two months on the protocol, which was attacked in a similar manner in March for $3 million.

How the attack took place

Using the flash loan, Deus’ attackers were able to temporarily manipulate prices on a liquidity pool consisting of the USD coin (USDC) stablecoin and DEI, and use the manipulated DEI price to borrow and drain the pool.

Flash loans allow DeFi users to take out millions of dollars as a loan against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed.

On the other end, liquidity pools, such as the USDC and DEI pool on Deus, rely on so-called oracles to ensure they are correctly priced at all times and any borrowing is within limits that don’t exceed the total value of those pools. Oracles are blockchain-based tools that provide smart contracts with trusted external information. These are required because blockchains can immutably store data, but can’t verify if the input data are accurate.

On Thursday, the attackers were able to take out a flash loan of over 143 million USDC, and used that to swap 9.5 million DEI, according to PeckShield. This caused the price of DEI to suddenly become more expensive than the usual exchange rate of $1.

How the hacker made away with $13.4 million. (PeckShield)
How the hacker made away with $13.4 million. (PeckShield)

The attacker then used some 71,000 DEI to borrow over 17.2 million DEI using the manipulated prices. The flash loan was then repaid, and the attacker managed to pocket $13.4 million.

DEUS prices fell 16.5% in the past 24 hours, CoinGecko data show. A bulk of these losses came after the exploit was made public. Deus had not responded to a request for comment by publication time.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.