Decentralized finance (DeFi) protocol Deus Finance DAO has suffered a flash loan exploit for the second time in two months, blockchain security firm PeckShield said on Twitter on 28 April.
According to the company, the attacker used a flash loan — which requires the borrower to return the sum in the same transaction — to trick the protocol’s smart contracts at around 2:40 AM UTC, allowing him to get away with about $13.4 million. The blockchain security firm also noted that the total losses for Deus Finance could be much higher then what the hacker stole.
PeckShield further explained that the attacker used a $143 million flash loan on the Fantom blockchain to artificially inflate the price of DEI — the cross-chain platform’s governing token — which was then used as collateral to borrow more funds. The additional capital was then sold for USDC, with the attacker repaying his flash loan all in the same transaction. The funds were then moved from Fantom to Ethereum, where they were laundered through Tornado Cash, a mixing protocol used to obfuscate transactions on the Ethereum network.
In response to the attack, Deus Finance tweeted that it had temporarily halted DEI lending, and that the DEI peg was restored. The team behind the project also stated that user funds were safe, and that it would release more details on a later date. Back in March, Deus Finance experienced a similar incident — where an attacker used a flash loan to manipulate the price of DAI — which saw a hacker steal $3 million from the project.