CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Stablecoin Stumble: The Code Bug Led to $6.5 Million Loss on DeuS Finance
1/8/2024
Stablecoin Stumble: The Code Bug Led to $6.5 Million Loss on DeuS Finance

Project name: Deus​​ Finance

Project type: DEX and Stable Coin

Date of exploit: May 5th, 2023

Asset loss: ~ $ 6,500,000

Vulnerability: code logic issue

Date of audit report publishing: Jun 23rd, 2021

Conclusion: Out of audit scope

Details of the Exploit

Background

DEUS Finance is a platform for decentralized financial services, including an AMM product and a stablecoin product called “DEIStablecoin”. The stablecoin is designed to follow the ERC20 standard that contains a feature to allow others to spend money.

Nature of the Vulnerability

The DEUS stablecoin DEIStablecoin contains the following vulnerable burnFrom function. To align with the ERC20 standard and “_approve()” operation, the “currentAllowance” should be “_allowances[account][_msg.sender()]” , instead of “_allowances[_msg.sender()][account]”. As a result of this bug, an attacker could manipulate the stable coin’s allowance by taking advantage of the incorrectly implemented burnFrom function, ultimately using the victim's tokens without authorization.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.22.09 AM

Conclusion

On May 5th, 2023, the Deus stablecoin was attacked due to issues within its code logic, leading to a loss of $6,500,000.

CertiK Audited the AMM product of the Deus Finance. However, the exploit was due to the vulnerability in the Stablecoin product, which is a different product from what CertiK has audited. Therefore, it is out of the audit scope.

References

Reket.news: https://rekt.news/deus-dao-r3kt/

Related Stories
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
Blast Chain's $97 Million Battle: Are North Korean Hackers Rusty?
Blogs
Incident Analysis
A detailed post-mortem analysis of the Munchables incident on the Blast mainnet, focusing on the methods used by attackers, the vulnerabilities exploited, and the subsequent community and project response to recover lost assets and enhance security measures.
3/27/2024
March's Major Private Key Compromises
Blogs
Incident Analysis
From 12 March to 16 March we have seen nine private key compromises (PKC) that have led to a combined loss of at least $22.96 million in March, with five of those incidents incurring losses over $1 million. These incidents showcase the continued devastation that private key leakages can have on the Web3 ecosystem which has already seen approximately $239 million lost to this type of attack in 2024.
3/22/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;