Decoding Deus DAO $6.5 Million Exploit | QuillAudits

--

Summary:

On May 6, 2023, the Deus DAO Protocol was exploited on the Arbitrum, Ethereum, and BNB chains due to a smart contract vulnerability. Approximately $6.5 million was stolen by the hackers in this exploit.

About Project:

Deus is a decentralized, peer-to-peer infrastructure platform that allows for over-the-counter trading of digital derivatives, options, and swaps. With Deus, users can create custom derivatives and trade them with others on the platform.

DEI is a fractional reserve stablecoin that can be used as a unit of account for derivative-based trading on protocols built on the DEUS infrastructure layer.

To learn more about the Project, check out the official documentation.

Vulnerability Analysis & Impact:

On-Chain Details:

Victim Contract: 0xbc1b62db243b51dabcd9540473324f36e094ec55

Attacker’s EOA (Arbitrum & Ethereum): 0x189cf534de3097c08b6beaf6eb2b9179dab122d1
Frontrunner EOA (BSC): 0x5a647e376d3835b8f941c143af3eb3ddf286c474

Attacker’s Contract: 0xe2ee6252509382a2b6504d5a5f7a1c5018a38168

Attack Transactions:
Arbitrum:
0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef
Ethereum: 0x6129dd42778345bc278822a7feadeacb933f5e56ce51114e686832ad239307a8
BNB Chain: 0xde2c8718a9efd8db0eaf9d8141089a22a89bca7d1415d04c05ba107dc1a190c3

The Root Cause:

The root vulnerability was that allowances were misconfigured in the burnFrom() function. Instead of _allowances[account][_msg.sender()], it was set to _allowances[_msg.sender()][account].

An attacker was able to approve their own account and burn the victim’s tokens by calling the function with a burn amount of 0. This resulted in the attacker being approved for the current allowance amount of the victim’s tokens, which they could then transfer.

Attack Process:

  • The attacker began by identifying an address holding a large amount of $DEI tokens. The Attacker then called the burnFrom() function with the victim’s address, passing the amount parameter as zero.
  • The contract now grants approval of all tokens from the specified address to the attacker’s address. This means that the attacker can now access all tokens that are associated with that address.
  • Then they invoke a call to the transferFrom() function in order to take away the assets for their profits. The exploiter made a profit of over $5 million on Arbitrum and $135k on Ethereum.
  • In the BNB Chain, this exploit was front-run. They sent an on-chain message to the Deus Deployer with the intention of returning the funds.

Total Loss:

The flow of Funds:

The attacker swapped all USDC for ETH and bridged it from Arbitrum to Ethereum Chain. At the time of writing this blog, the attacker has around $1.03 million worth of assets in their wallet.

Incident Timelines

06–05–2023- The Project acknowledge the incident and announced it through their Twitter. They paused all the contracts, and DEI tokens were burnt on-chain to prevent further damage.

06–05–2023- They also declared that they would not pursue any legal action if the funds were returned and would further enlist 20% of the fund as a bounty.

08–05–2023- They shared a few updates on Twitter about the exploit. They have received nearly 5.5 million out of the 7 million. They further stated that Deus V3 Contracts are completely isolated from DEI, and this remains unaffected during the exploit.

How they could have prevented the Exploit?

The root cause of the issue was misconfigured allowances. In ERC20, allowances are mapped as _allowances[owner][spender]. However, it should be the allowance from the account to the caller, not the other way around. To prevent the attack, simply swapping the parameters from _allowances[_msg.sender()][account] to _allowances[account][_msg.sender()] would have been sufficient.

Reproducing the hack:

We will be using the Foundry framework for POC. For demonstration purposes, we will be reproducing the hack in Arbitrum Chain only.
(Add the Arbitrum Mainnet RPC URL in foundry.toml file and run the test using the command forge test -vvv)

The exploit PoC link can be found here.

Similar projects secured by QuillAudits:

Web3 security- Need of the hour

Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.

Want more such security blogs and reports?

Connect with QuillAudits on:
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

--

--

QuillAudits - Web3 Security 🛡️
QuillAudits - Web3 Security 🛡️

Written by QuillAudits - Web3 Security 🛡️

6+ Years Securing #Web3: 1M+ Lines Audited. Trusted by 1K+ Clients including StarkWare, Taiko, ZetaChain & Metis. Next-gen audits, KYC & on-chain monitoring.