Cyber Incident Victim: Deus Finance

On March 15, 2022, at approximately 06:19:46 AM UTC, an unidentified attacker executed a flash loan attack targeting the oracle system of Deus Finance’s lending minimum viable product (MVP). The exploit leveraged vulnerabilities in the project’s liquidation oracle, allowing the attacker to manipulate pricing data. At the time of the incident, the Deus team was offline due to late-night work sessions, delaying detection until approximately 07:30 AM UTC. By 07:40 AM UTC, the team deactivated all affected contracts to prevent further exploitation. The full extent of the financial impact became clear by 08:30 AM UTC, with confirmed losses totaling 5.2 sAMM tokens, including 0.2 sAMM attributed to a team member’s position. The attack was contained by a pre-existing 10 million dollar limit on the lending contract, which mitigated potential losses.

Deus Finance immediately committed to reimbursing affected users 1:1 using personal and DAO treasury funds, explicitly rejecting reimbursement tokens in favor of direct asset restoration. This included compensating users for unclaimed SOLID and SEX emissions rewards. The team attributed the exploit to an outdated oracle implementation, acknowledging that a more robust Muon Network-based VWAP (Volume-Weighted Average Price) oracle system—already under development—would have prevented the attack. Post-incident measures included deploying a reimbursement contract (0x85B6996ab768600C14dA1464205bd6b3a864417D) by March 27 to restore user balances and upgrading to Muon’s VWAP oracles (0x8878eb7f44f969d0ed72c6010932791397628546), which underwent an audit by Armor Labs. The lending contract remained paused during remediation, and the team instituted a $1 million bug bounty program while collaborating with security firms Byte Masons and Immunefi for additional reviews. The DAO’s financial reserves, accumulated through a continuous token offering model, enabled full reimbursement without jeopardizing operational sustainability.