PeckShield, one of the best-known blockchain security firms in the industry, shared information about, possibly, one of the biggest exploits made by hackers recently. Today, the victim is DeusDao, which is the "world-first decentralized bilateral OTC derivatives platform," with $13.7 million of funds lost with possibly even more damage.
As the security firm suggests, the hack was possible thanks to the manipulation of the price oracle via flashloan. By manipulating the price oracle, hackers could borrow and drain the pool while not paying the corresponding collateral. As PeckShield suggested, the hack scheme was not new and had been used previously for exploiting other DeFi platforms.
The @DeusDao was exploited today in https://t.co/USKNHhXeid with ~$13.4M gain for the hacker (The protocol loss may be larger).
— PeckShield Inc. (@peckshield) April 28, 2022
PeckShield also described the four exact steps that allowed a hacker or group of hackers to steal the abovementioned funds. First, hackers flashloaned $143 million USDC and swapped them to 9.5 million DEIO by using the sAMM-USDC/DEI_USDC_DEI pair, which made DEI extremely expensive. With only 71,436 DEI as collateral, the hacker could borrow 17 million DEI thanks to the price manipulation and repay the flashloan, while leaving $13 million as hack profits.
The whole exploit is possibly due to issues in the code that mess up the price oracle function responsible for proper price balancing.
As the post suggests, the initial 800 ETH that were used to launch the hack process were withdrawn from TornadoCash coin mixing solution and then sent to Fantom by using multichain.
Following the successful hack, funds were sent back to Ethereum wallet ending in a37cb and then sent to TornadoCash once again in order to cover all tracks remaining after another hack. Most likely, the hack is tied to one of the hacker group who have repetedly attacked various DeFi and NFT projects since last month.