DEUS post mortem

Dear Community

Your funds and our system are safe, we deactivated all affected contracts and have been in contact with MUON to upgrade our oracles immediatly to mitigate further risks for future implementations, we also contacted some security researchers to take a look at our architecture.

On Mar-15–2022 06:19:46 AM +UTC an unknown exploiter used a flash loan attack against our Oracles. This is a common exploit and we are taking full responsibility for our decision to implement it like this.

https://ftmscan.com/tx/0xe374495036fac18aa5b1a497a17e70f256c4d3d416dd1408c026f3f5c70a3a9c

Everyone was offline around this time as we have been working until late at night.

We found out about the exploit around Mar-15–2022 07:30:00 AM +UTC

We immediately stopped the contracts on Mar-15–2022 07:40:00 AM +UT

TX1: https://ftmscan.com/tx/0xa824a7ef8a90d7d34b6a783581f392d7161c0ad761446750f21cde8519cd79c3

TX2: https://ftmscan.com/tx/0xe86c6057e02ceb8376550e0920c5aef8641c927ee787b5d34494f397d5246586

We learned about the lost funds on Mar-15–2022 08:30:00 AM +UTC

and instantly made the decision to fully reimburse all user funds from personal and DAO treasuries.

To make things clear: NO USER FUNDS are LOST.

We will make everyone whole again — anyone affected by the exploit will be reimbursed completely.

This means that the sAMM inside the borrowing contract will be replenished and the balances of users that got affected will be restored to the value they had prior to the exploit. It’s a 1:1 reimbursement, no payment through a reimbursement token or anything other projects use when they get exploited.

We will give users back what they have lost 1:1. I am even acquiring the SOLID + SEX rewards that are currently not being acquired by users and we will also deposit those eventually.

In total a loss of 5.2 sAMM occured, and 0.2 sAMM was by a team member.

you can check our sAMM holdings here.
we deposited 1.6655 into the solidex contract

and 1.72 + 1.622 into the LenderContract, we havent been liquidated as we havnt borrowed up to our Limit.

as soon as the reimbursement contract is ready we will deposit the sAMM there.

The reimbursement is paid through personal and DEUS DAO funds.

How is this possible?
DEUS DAO acquired a huge war chest through 2020 and 2021 by offering the DEUSv1 token via a continuous token offering model, the same model that was later adopted by Trubit.

https://lafayettetabor.medium.com/deus-continious-token-model-faq-36953ca5e561

Obviously, this is a hit for us that we take but it won’t stall the development or put us in an unsustainable long-term position.

We are thankful for the opportunity to show our commitment to this project, and we feel sorry for the panic and mistrust this has eventually created.

And I want to personally apologize, it is clear I made the wrong decisions this weekend when had to weigh up speed vs. need.

  1. Analysis

https://twitter.com/peckshield/status/1503632734299701250

What Peckshield had identified is correct. A hacker abused the implemented liquidation oracle of the lending MVP (we’re aware of TWAPs) Luckily, the precaution we took to have a 10M limit prevented larger damage.

Even though the Lending got hacked and heavy DEI were sold off our AMOs are showing they are battle-proven.

https://rekt.news/deus-dao-rekt/

Why didn’t Deus DAO have a more robust system in place?

The irony is that we not only had a more robust system already in mind with our partners MUON but that we also were the ones who helped design the MUON oracle system in the first place. The Muon tech we were about to deploy next week was designed exactly to prevent this. However, it was not part of this MVP yet.

The Muon engineers were already working on implementing the VWAP oracles and DEUS will soon upgrade to those new contracts. Furthermore, I also contacted the Byte Masons team and Immunefi to take a look.

Our work can demand crucial decisions where we have to weigh speed vs. need and this was a valuable lesson. Had we waited another week, this exploit would have been impossible. A decision we are paying with a high price.

DEUS will soon have implemented a battle-tested oracle solution like VWAP.

I take full responsibility, I made the wrong call this weekend, and I hope that you can accept my apology.

I also want to thank the entire team for reacting quickly and calmly, as well as our community, our advisors, and partners for being so understanding and for all the support offerings.

~ Lafayette Tabor

What’s next?

Immediate Measures:

  • Launch new lending contract restoring the balances of all liquidated users
  • We will also restore the SOLID + SEX emissions that are currently collected in our wallets.
  • Lending contract stays closed — no liquidations or borrowing will be possible during this time.
  • We will work closely together with the MUON engineers to finish & deploy VWAP oracles.

Mediate term measures

  • Commission in-depth documentation on the MUON VWAP solution — which prices are taken where and how and how the price is calculated and why this will prevent an exploit like this
  • Launch 1M bug bounty on new lending contracts.
  • Let security researchers and devs take a look at it.

Update: 27.03

the funds have been returned to all users via the reimbursement contract deployed at:

0x85B6996ab768600C14dA1464205bd6b3a864417D

Oracles were changed to muon and deployed at this address:

0x8878eb7f44f969d0ed72c6010932791397628546

The new Lending with Muon Oracles were audited by Armor Labs

Update: 28.04

Solidly VWAP oracle incident implementation deployed on the Muon Network:

https://hackmd.io/uebU9H_FSVqiqfFUoDe1tQ

--

--

DAO member of DEUS Finance @lafachief in telegram.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store