In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.
Gul Hameed 
May 24, 2023 
Deus DAO, a platform offering a framework for optimistic on-chain digital derivatives, has experienced its third major hack across multiple chains, including Arbitrum, BSC, and Ethereum. The recent security breach resulted in token holders losing approximately $6.5 Million, and the DEI stablecoin depegging by over 80%. This event brings into question the trustworthiness of the thrice-hacked protocol, raising concerns for users and investors alike. Despite being a major player in the DeFi space, Deus DAO's continuous security issues highlight the importance of robust smart contract audits and monitoring systems. The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence. The vulnerability stemmed from a simple implementation error in the DEI token contract that was introduced during an upgrade last month. This error allowed the attacker to manipulate DEI holders' approvals and transfer assets directly to their own address. The losses were approximately $5 million on Arbitrum, $1.3 million on BSC, and $135k on Ethereum. Although some whitehat hackers have managed to return over $600k in USDC to a recovery multisig, doubts remain about the effectiveness of returning funds to a team responsible for such a trivial bug. The approve() function is used in ERC20 token contracts to allow one account (the spender) to spend a certain amount of tokens on behalf of another account (the owner). The mapping _allowances[owner][spender] is used to store the approved amount of tokens for a specific owner-spender pair. The burnFrom() function is responsible for burning a specified amount of tokens from a given account. In this case, the function reads the allowances mapping to ensure that the spender has enough allowance to burn the tokens from the owner's account. However, there is a critical issue within the burnFrom() function. The order of the mapping parameters has been flipped, causing it to read from _allowances[attacker][victim] instead of _allowances[owner][spender]. This flipped mapping order allows the attacker to manipulate the allowances and eventually gain control of the victim's tokens. The attacker first identifies a victim account with a large amount of DEI tokens. The attacker approves the victim's account for a large amount of tokens using the approve() function. This is like giving someone permission to take a large amount of candies from your candy jar. The attacker calls the burnFrom() function with the victim's address as the account and 0 as the amount. The flipped mapping order causes the allowances to get updated incorrectly, as the smart contract reads _allowances[_msgSender()][account] instead of _allowances[account][_msgSender()]. Due to this, the contract believes that the attacker has control over the victim's withdrawal limit (allowance). Inside the burnFrom() function, the _approve() function is called again with the remaining allowance value (currentAllowance - amount). However, due to the flipped order, the allowance mapping is now set as _allowances[victim][attacker]. This means that the victim's account has given the attacker an allowance to spend a large amount of tokens from their account, just like mistakenly giving someone permission to empty your entire candy jar. Now that the attacker has been granted a large allowance from the victim's account, they can call the transferFrom() function to transfer the victim's tokens to their own account. The smart contract believes the attacker has the right to do so and allows the transfer, resulting in the theft of the victim's funds. Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 BSC: 0x5a647e376d3835b8f941c143af3eb3ddf286c474 Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1 These are the addresses used by the attacker to execute the hack on different blockchains and receive the stolen DEI tokens. By examining the transaction history of these addresses, we can trace the steps taken by the attacker, including the preparation for the attack and the subsequent token transfers. Arbitrum: 0xb1141785... BSC: 0xde2c8718... Ethereum: 0x6129dd42... These transactions showcase how the attacker exploited the vulnerability in the DEUS DAO smart contract to steal DEI tokens. By analyzing these transactions, we can observe how the attacker manipulated the approve() and burnFrom() functions. The DEUS DAO hack highlights the importance of thorough security measures when developing and deploying smart contracts in the decentralized finance ecosystem. This particular exploit was a result of a simple yet critical vulnerability in the burnFrom() functions, which enabled the attacker to manipulate allowances and steal millions of dollars worth of DEI tokens from unsuspecting users. As DeFi platforms continue to grow in popularity, it is crucial for developers and project teams to prioritize the security of their smart contracts and to learn from incidents like the DEUS DAO hack. Implementing strong technical mitigations, conducting comprehensive audits, and engaging the community can significantly reduce the risk of security breaches and ensure a safer environment for users. In light of this incident, we strongly recommend projects to get their smart contracts audited by reputable security firms such as BlockApex.io. A thorough audit conducted by experienced professionals can help identify and address vulnerabilities before they can be exploited by malicious actors, ultimately safeguarding the integrity of the platform and its users' assets. By taking these important steps, DeFi platforms can continue to innovate and thrive while ensuring the security and trust of their users.Introduction
Hack Impact
Deus DAO: Hack Explained
Approve Function
Imagine the approve() function as allowing someone to take a certain amount of candies from your candy jar.
BurnFrom Function and Flipped Mapping Order Vulnerability
Attacker's Step-by-Step Process
Identifying a target
Approving the victim
Exploiting the BurnFrom function
Resetting the allowance
Transferring tokens
Transaction Analysis
Attacker's Addresses
Attack Transactions
Funds Flow
Conclusion
In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.
Gul Hameed 
July 12, 2023 Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M.
Gul Hameed
September 8, 2023 The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms.
Gul Hameed
July 5, 2023 On April 15th, 2023, Hundred Finance was hacked, resulting in a loss of approximately $7.4 million USD in various cryptocurrencies. The attacker exploited an integer rounding vulnerability in the platform's contract logic when a market was empty.
Gul Hameed
June 21, 2023 The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.
Gul Hameed
March 14, 2023 The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.
Gul Hameed
September 11, 2023 Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.
Gul Hameed
September 7, 2023 Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.
Gul Hameed
August 8, 2023 The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.
Gul Hameed
September 22, 2023 
