The Deus DAO hack was made possible by an error in the contract’s burnFrom function. The parameters to the allowances array in the function were in the wrong order, with msgSender coming before the account. This caused an allowance from user A to user B to be interpreted as an allowance from user B to user A.

The result was a publicly-accessible burn function that provided the attacker with access to the DeFi approvals of other users of the project. The attacker could configure an approval for a DEI token holder’s address. Then, calling the misconfigured burnFrom function with a burn amount of 0 would provide them with access to all of the tokens in that user’s account.

As a result, they could transfer assets in these users’ wallets directly into their own account. This allowed the attacker to drain $6.5 million from users’ accounts across three chains, including Arbitrum ($5M), BSC ($1.3M), and Ethereum ($135K).

In several cases, the exploit transactions were frontrun by whitehats. The Deus DAO team has set up a multisig wallet to receive the funds, and roughly 10% of the stolen funds have been returned to the project.

The Deus DAO hack was made possible by a simple error in the contract’s burnFrom function. By reordering two parameters, the contract authors made it possible for an attacker to access and drain funds from the accounts of any DEI token holder.

This vulnerability would likely have been detected and corrected if the contract had undergone a security audit before launch. To learn more about how to protect your DeFi contracts from exploitation, contact us.