Project name: Deus Finance
Project type: DEX and Stable Coin
Date of exploit: May 5th, 2023
Asset loss: ~ $ 6,500,000
Vulnerability: code logic issue
Date of audit report publishing: Jun 23rd, 2021
Conclusion: Out of audit scope
Details of the Exploit
Background
DEUS Finance is a platform for decentralized financial services, including an AMM product and a stablecoin product called “DEIStablecoin”. The stablecoin is designed to follow the ERC20 standard that contains a feature to allow others to spend money.
Nature of the Vulnerability
The DEUS stablecoin DEIStablecoin contains the following vulnerable burnFrom function. To align with the ERC20 standard and “_approve()” operation, the “currentAllowance” should be “_allowances[account][_msg.sender()]” , instead of “_allowances[_msg.sender()][account]”. As a result of this bug, an attacker could manipulate the stable coin’s allowance by taking advantage of the incorrectly implemented burnFrom function, ultimately using the victim's tokens without authorization.
CertiK Audit Overview
Conclusion
On May 5th, 2023, the Deus stablecoin was attacked due to issues within its code logic, leading to a loss of $6,500,000.
CertiK Audited the AMM product of the Deus Finance. However, the exploit was due to the vulnerability in the Stablecoin product, which is a different product from what CertiK has audited. Therefore, it is out of the audit scope.
References
Reket.news: https://rekt.news/deus-dao-r3kt/
