DEUS DAO - May 6, 2023


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Deus DAO, a platform offering a framework for optimistic on-chain digital derivatives, has experienced its third major hack across multiple chains, including Arbitrum, BSC, and Ethereum. The recent security breach resulted in token holders losing approximately $6.5 Million, and the DEI stablecoin depegging by over 80%. This event brings into question the trustworthiness of the thrice-hacked protocol, raising concerns for users and investors alike. Despite being a major player in the DeFi space, Deus DAO's continuous security issues highlight the importance of robust smart contract audits and monitoring systems.

    Hack Impact

    The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

    The vulnerability stemmed from a simple implementation error in the DEI token contract that was introduced during an upgrade last month. This error allowed the attacker to manipulate DEI holders' approvals and transfer assets directly to their own address. The losses were approximately $5 million on Arbitrum, $1.3 million on BSC, and $135k on Ethereum. Although some whitehat hackers have managed to return over $600k in USDC to a recovery multisig, doubts remain about the effectiveness of returning funds to a team responsible for such a trivial bug.

    Deus DAO: Hack Explained

    Approve Function

    The approve() function is used in ERC20 token contracts to allow one account (the spender) to spend a certain amount of tokens on behalf of another account (the owner). The mapping _allowances[owner][spender] is used to store the approved amount of tokens for a specific owner-spender pair.
    Imagine the approve() function as allowing someone to take a certain amount of candies from your candy jar.

    BurnFrom Function and Flipped Mapping Order Vulnerability

    The burnFrom() function is responsible for burning a specified amount of tokens from a given account. In this case, the function reads the allowances mapping to ensure that the spender has enough allowance to burn the tokens from the owner's account. However, there is a critical issue within the burnFrom() function.

    The order of the mapping parameters has been flipped, causing it to read from _allowances[attacker][victim] instead of _allowances[owner][spender]. This flipped mapping order allows the attacker to manipulate the allowances and eventually gain control of the victim's tokens.

    DEUS DAO - burnFrom()

    Attacker's Step-by-Step Process

    Identifying a target

    The attacker first identifies a victim account with a large amount of DEI tokens.

    Approving the victim

    The attacker approves the victim's account for a large amount of tokens using the approve() function. This is like giving someone permission to take a large amount of candies from your candy jar.

    Exploiting the BurnFrom function

    The attacker calls the burnFrom() function with the victim's address as the account and 0 as the amount. The flipped mapping order causes the allowances to get updated incorrectly, as the smart contract reads _allowances[_msgSender()][account] instead of _allowances[account][_msgSender()]. Due to this, the contract believes that the attacker has control over the victim's withdrawal limit (allowance).

    Resetting the allowance

    Inside the burnFrom() function, the _approve() function is called again with the remaining allowance value (currentAllowance - amount). However, due to the flipped order, the allowance mapping is now set as _allowances[victim][attacker]. This means that the victim's account has given the attacker an allowance to spend a large amount of tokens from their account, just like mistakenly giving someone permission to empty your entire candy jar.

    Transferring tokens

    Now that the attacker has been granted a large allowance from the victim's account, they can call the transferFrom() function to transfer the victim's tokens to their own account. The smart contract believes the attacker has the right to do so and allows the transfer, resulting in the theft of the victim's funds.

    Transaction Analysis

    Attacker's Addresses

    Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1

    BSC: 0x5a647e376d3835b8f941c143af3eb3ddf286c474

    Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1

    These are the addresses used by the attacker to execute the hack on different blockchains and receive the stolen DEI tokens. By examining the transaction history of these addresses, we can trace the steps taken by the attacker, including the preparation for the attack and the subsequent token transfers.

    Attack Transactions

    Arbitrum: 0xb1141785...

    BSC: 0xde2c8718...

    Ethereum: 0x6129dd42...

    These transactions showcase how the attacker exploited the vulnerability in the DEUS DAO smart contract to steal DEI tokens. By analyzing these transactions, we can observe how the attacker manipulated the approve() and burnFrom() functions.

    Funds Flow

    DEUS DAO  - funds flow 1
    DEUS DAO  - funds flow 2


    The DEUS DAO hack highlights the importance of thorough security measures when developing and deploying smart contracts in the decentralized finance ecosystem. This particular exploit was a result of a simple yet critical vulnerability in the  burnFrom() functions, which enabled the attacker to manipulate allowances and steal millions of dollars worth of DEI tokens from unsuspecting users.

    As DeFi platforms continue to grow in popularity, it is crucial for developers and project teams to prioritize the security of their smart contracts and to learn from incidents like the DEUS DAO hack. Implementing strong technical mitigations, conducting comprehensive audits, and engaging the community can significantly reduce the risk of security breaches and ensure a safer environment for users.

    In light of this incident, we strongly recommend projects to get their smart contracts audited by reputable security firms such as A thorough audit conducted by experienced professionals can help identify and address vulnerabilities before they can be exploited by malicious actors, ultimately safeguarding the integrity of the platform and its users' assets.

    By taking these important steps, DeFi platforms can continue to innovate and thrive while ensuring the security and trust of their users.

    More Hack Analysis

    Merlin DEX - April 26, 2023

    In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.

    ZUNAMI - Hack Analysis

    Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M.

    LEVEL FINANCE - May 2, 2023

    The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms.

    HUNDRED FINANCE - April 15, 2023

    On April 15th, 2023, Hundred Finance was hacked, resulting in a loss of approximately $7.4 million USD in various cryptocurrencies. The attacker exploited an integer rounding vulnerability in the platform's contract logic when a market was empty.

    Euler Finance (March 14, 2023)

    The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.

    Orion Protocol - February 4, 2023

    The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.

    Jimbo's Protocol - Monday, May 28, 2023

    Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.

    Kokomo Finance - Hack Analysis (March 27, 2023)

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

    BonqDAO - February 3, 2023

    The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023