DEUS DAO - May 6, 2023

Table Of Content

Share:

Introduction

Deus DAO, a platform offering a framework for optimistic on-chain digital derivatives, has experienced its third major hack across multiple chains, including Arbitrum, BSC, and Ethereum. The recent security breach resulted in token holders losing approximately $6.5 Million, and the DEI stablecoin depegging by over 80%. This event brings into question the trustworthiness of the thrice-hacked protocol, raising concerns for users and investors alike. Despite being a major player in the DeFi space, Deus DAO's continuous security issues highlight the importance of robust smart contract audits and monitoring systems.

Hack Impact

The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

The vulnerability stemmed from a simple implementation error in the DEI token contract that was introduced during an upgrade last month. This error allowed the attacker to manipulate DEI holders' approvals and transfer assets directly to their own address. The losses were approximately $5 million on Arbitrum, $1.3 million on BSC, and $135k on Ethereum. Although some whitehat hackers have managed to return over $600k in USDC to a recovery multisig, doubts remain about the effectiveness of returning funds to a team responsible for such a trivial bug.

Deus DAO: Hack Explained

Approve Function

The approve() function is used in ERC20 token contracts to allow one account (the spender) to spend a certain amount of tokens on behalf of another account (the owner). The mapping _allowances[owner][spender] is used to store the approved amount of tokens for a specific owner-spender pair.
Imagine the approve() function as allowing someone to take a certain amount of candies from your candy jar.

BurnFrom Function and Flipped Mapping Order Vulnerability

The burnFrom() function is responsible for burning a specified amount of tokens from a given account. In this case, the function reads the allowances mapping to ensure that the spender has enough allowance to burn the tokens from the owner's account. However, there is a critical issue within the burnFrom() function.

The order of the mapping parameters has been flipped, causing it to read from _allowances[attacker][victim] instead of _allowances[owner][spender]. This flipped mapping order allows the attacker to manipulate the allowances and eventually gain control of the victim's tokens.

DEUS DAO - burnFrom()

Attacker's Step-by-Step Process

Identifying a target

The attacker first identifies a victim account with a large amount of DEI tokens.

Approving the victim

The attacker approves the victim's account for a large amount of tokens using the approve() function. This is like giving someone permission to take a large amount of candies from your candy jar.

Exploiting the BurnFrom function

The attacker calls the burnFrom() function with the victim's address as the account and 0 as the amount. The flipped mapping order causes the allowances to get updated incorrectly, as the smart contract reads _allowances[_msgSender()][account] instead of _allowances[account][_msgSender()]. Due to this, the contract believes that the attacker has control over the victim's withdrawal limit (allowance).

Resetting the allowance

Inside the burnFrom() function, the _approve() function is called again with the remaining allowance value (currentAllowance - amount). However, due to the flipped order, the allowance mapping is now set as _allowances[victim][attacker]. This means that the victim's account has given the attacker an allowance to spend a large amount of tokens from their account, just like mistakenly giving someone permission to empty your entire candy jar.

Transferring tokens

Now that the attacker has been granted a large allowance from the victim's account, they can call the transferFrom() function to transfer the victim's tokens to their own account. The smart contract believes the attacker has the right to do so and allows the transfer, resulting in the theft of the victim's funds.

Transaction Analysis

Attacker's Addresses

Arbitrum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1

BSC: 0x5a647e376d3835b8f941c143af3eb3ddf286c474

Ethereum: 0x189cf534de3097c08b6beaf6eb2b9179dab122d1

These are the addresses used by the attacker to execute the hack on different blockchains and receive the stolen DEI tokens. By examining the transaction history of these addresses, we can trace the steps taken by the attacker, including the preparation for the attack and the subsequent token transfers.

Attack Transactions

Arbitrum: 0xb1141785...

BSC: 0xde2c8718...

Ethereum: 0x6129dd42...

These transactions showcase how the attacker exploited the vulnerability in the DEUS DAO smart contract to steal DEI tokens. By analyzing these transactions, we can observe how the attacker manipulated the approve() and burnFrom() functions.

Funds Flow

DEUS DAO  - funds flow 1
DEUS DAO  - funds flow 2

Conclusion

The DEUS DAO hack highlights the importance of thorough security measures when developing and deploying smart contracts in the decentralized finance ecosystem. This particular exploit was a result of a simple yet critical vulnerability in the  burnFrom() functions, which enabled the attacker to manipulate allowances and steal millions of dollars worth of DEI tokens from unsuspecting users.

As DeFi platforms continue to grow in popularity, it is crucial for developers and project teams to prioritize the security of their smart contracts and to learn from incidents like the DEUS DAO hack. Implementing strong technical mitigations, conducting comprehensive audits, and engaging the community can significantly reduce the risk of security breaches and ensure a safer environment for users.

In light of this incident, we strongly recommend projects to get their smart contracts audited by reputable security firms such as BlockApex.io. A thorough audit conducted by experienced professionals can help identify and address vulnerabilities before they can be exploited by malicious actors, ultimately safeguarding the integrity of the platform and its users' assets.

By taking these important steps, DeFi platforms can continue to innovate and thrive while ensuring the security and trust of their users.

More Audits

A Security Framework For Blockchain Applications

how do we keep the blockchain application safe? Let's walk through some security frameworks for blockchain applications in this blog

Infiltrating the EVM-II: Inside the War Room's Arsenal

War Room is an immersive, high-energy environment incorporating a dedicated team of experts that comes together to form the backbone of the War Room. Read more in this part

Yamato Stablecoin Lending - Audit Report (June 20th, 2022)

Yamato Protocol is a crypto-secured stablecoin generator DApp pegged to JPY. Yamato Protocol is a lending decentralized financial application (DeFi) that can generate Japanese Yen stablecoin "CJPY". It is being developed by DeFiGeek Community Japan, a decentralized autonomous organization.

Order Matching: Achieving Seamless Trades

Decentralized exchanges (DEXs) have disrupted the cryptocurrency trading landscape by introducing trustless and transparent platforms for exchanging digital assets. A critical element of DEXs is the order matching mechanism, which enables the execution of trades. This blog post delves into the intricacies of order-matching mechanisms, highlighting the advancements that have enhanced user efficiency, liquidity, and overall trading experience.

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing

Infiltrating the EVM-I: Demystifying Smart Contracts & Auditing comprises of information about compilation breakdown of solidity code, the vulnerable components of blockchain ecosystem and how Smart contract auditing is crucial.

Polkalokr Matic Bridge Contract Audit Report

The analysis indicates that the contracts audited are secured and follow the best practices.
Our team performed a technique called “Filtered Audit”, where the contract was separately audited by two individuals. After their thorough and rigorous process of manual testing, an automated review was carried out using Slither, and Manticore. All the flags raised were manually reviewed and re-tested.

Phase Protocol Audit Report

Phase Protocol is a NFT Marketplace infrastructure built on Solana Protocol, a reliable and scalable L1 solution. The on-chain Fundraising solution offered by DedMonke provides a crowdfunding experience to DeFi users.

Infiltrating the EVM: Advanced Strategies for Blockchain Security Guardians

Learn advanced strategies for blockchain security guardians in this groundbreaking article series by BlockApex Labs. Gain insights into the Ethereum Virtual Machine (EVM), smart contract vulnerabilities, and thorough auditing techniques. Stay ahead in the evolving world of blockchain security and prevent financial losses with comprehensive knowledge. Join us for the article series and course today.

Infiltrating the EVM-III: Unravel the Impact Of Blockchain On Bug Fixing!

Fixing a bug in traditional software development is often likened to solving a difficult puzzle, each presenting its own challenges. This task has always been complex and time-consuming. However, resolving bugs in a blockchain system is even more demanding due to its transparent & permissionless nature and the high stakes involved with users' funds.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023