Back to all stories
Incident Analysis
Stablecoin Stumble: The Code Bug Led to $6.5 Million Loss on DeuS Finance
Stablecoin Stumble: The Code Bug Led to $6.5 Million Loss on DeuS Finance

Project name: Deus​​ Finance

Project type: DEX and Stable Coin

Date of exploit: May 5th, 2023

Asset loss: ~ $ 6,500,000

Vulnerability: code logic issue

Date of audit report publishing: Jun 23rd, 2021

Conclusion: Out of audit scope

Details of the Exploit


DEUS Finance is a platform for decentralized financial services, including an AMM product and a stablecoin product called “DEIStablecoin”. The stablecoin is designed to follow the ERC20 standard that contains a feature to allow others to spend money.

Nature of the Vulnerability

The DEUS stablecoin DEIStablecoin contains the following vulnerable burnFrom function. To align with the ERC20 standard and “_approve()” operation, the “currentAllowance” should be “_allowances[account][_msg.sender()]” , instead of “_allowances[_msg.sender()][account]”. As a result of this bug, an attacker could manipulate the stable coin’s allowance by taking advantage of the incorrectly implemented burnFrom function, ultimately using the victim's tokens without authorization.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.22.09 AM


On May 5th, 2023, the Deus stablecoin was attacked due to issues within its code logic, leading to a loss of $6,500,000.

CertiK Audited the AMM product of the Deus Finance. However, the exploit was due to the vulnerability in the Stablecoin product, which is a different product from what CertiK has audited. Therefore, it is out of the audit scope.