DEUS DAO Hack Analysis

DEUS DAO Hack Analysis

Overview:

On May 5, 2023, Deus DAO was exploited due to a business logic issue resulting in a total loss of $6.5M across Arbitrum, BSC, and Ethereum chains. This vulnerability was detected by our tool SolidityScan which detects 130+ smart contract vulnerabilities. Signup for a free trial at https://solidityscan.com/signup

Smart Contract Hack Overview:

• Vulnerable Contract: 0xbc1b62
• Attacker’s address (Arbitrum): 0x189cf5
• Attackers Transaction(Arbitrum): 0xb11417

• Frontrunner address (BSC): 0x5a647e
• Attackers Transaction (BSC): 0xde2c87
• Attacker’s address (Ethereum): 0x189cf5
• Attackers Transaction (Ethereum): 0x6129dd

Decoding the Smart Contract Vulnerability.

• The attacker initiated the attack by approving the victim for a large amount.
• In ERC20, allowances are mapped as _allowances[owner][spender]

• The vulnerability existed in the smart contract’s burnFrom() function, which was misconfigured with the ‘_allowances’ parameters written in the reversed order.

• The misordered parameters allowed the attacker to set a large token approval for any DEI holder’s address. Then, before the tokens were burned, the approval was updated to the attacker’s address. This approved the attacker (spender) by the victim (account) for (currentallowance-amount) tokens.
• The attacker used 0 amount of tokens while calling the burnFrom() function, he was approved for the full allowance value.
• This gave rise to a public burn vulnerability, due to which the attacker was able to manipulate and gain control of the DEI holder’s approvals and transfer assets directly to his own address.

Mitigation and Best Practices:

• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord