DEI Lending zero-day vulnerability Dear Community Your funds and our system are safe, we deactivated all affected contracts and have been in contact with MUON to upgrade our oracles immediatly to mitigate further risks for future implementations, we also contacted some security researchers to take a look at our architecture. On April-28–2022 06:19:46 AM +UTC an unknown exploiter used a zero day exploit attack against our Oracles deployed on MUON. The attack method of the recent exploit, the steps we have taken to limit and reverse the damage, and the recovery process of funds. We explain the plan to implement additional fail-safes and upgrades to our system to prevent such attacks in the future. Overview How did the DEI Finance exploit in combination with the Solidly off-chain VWAP oracle incident happen? The attacker took the following steps: Found out how to manipulate the Off-chain oracle using call data on swaps Sent 800 ETH via tornado cash Test transactions and collateral with 800 ETH Manipulated the prices via call data Executed a flash loan to manipulate on-chain price checks (which PeckShield reported) Sent everything out via tornado The first thing to note is that this was NOT a typical flash loan exploit. The attacker managed to find a zero-day vulnerability in the custom DEI Lending off-chain VWAP implementation deployed on the Muon network. Was the Muon network compromised? No. Everything that transpired took place inside a custom app, which was running on the Muon network. So how is Muon related to this? The logic inside the APP deployed on the Muon network had a rare vulnerability. Muon itself is like Ethereum, Muon apps are like Smart Contracts on the Muon Network, and the Muon APP we used to define the VWAP had a vulnerability. What steps were taken post-exploit? Connected with third parties specializing in recovering funds as well as with CEXs and authorities tracked a wallet linked to the hack that was also linked to a Binance account was frozen as a suspicious account suspected of being involved An action fraud case was opened and is being actively investigated by the authorities Bugfix the attack vector other channels opened to explore further methods Implement other layers of extra security to mitigate further risks Immediate fixes applied: - price based on reserves - filter abnormal requests ( for now ) - block using one muon signature more than once per wallet - cool down( a delay between borrow/redeem for each wallet) How will the damage to the protocol be mitigated if the authorities cannot recover the funds? **Use AMOv3 to restore peg (already done) - this lead to a great imbalance of the backing to the DEI amount circulating.** Use DEUS private veDEUS holding to burn bad debt (ongoing) Deposit AMOv3 acquired DEI into General Lending (can be used when lending is active again) Deploy a new Bonding System that sells synthetic bonds based on AMOv3 DEI with a fixed interest (currently being prepared) How is DEI backed now? 97m DEI in circulation. 9m DEI was borrowed over collateralized, tagged as “virtual reserve” 10m DEI will be borrowed via team veDEUS holdings and burnt (clear bad debt) 35m DEI was bought by the AMOv3 and will be deposited into the General Lender to be lent out or be utilized in the new Fixed Interest Bonds system. ~40M USDC are in the PoolUSDC contracts https://lafayettetabor.medium.com/new-dei-peg-mechan-1af3e3d9a975 AMOv3 and the dynamics behind it are explained here What is Bonding at a fixed interest rate? A new system on top of AMOv3 that will create synthetic bonds that users can buy from the AMOv3 contract, Bonds with a fixed interest for 1 year, paid out over 1 year, with increasing interest rate linearly in a reverse dutch auction. Will be explained in more detail in an upcoming blog that goes into detail about the implementation. Further articles will follow going into more detail about the AMO, fixed interest BONDs, and the DEI system. The exploit in detail Around 19 days ago the hacker started testing around with the off-chain DEI lending oracles trying to reverse engineer the oracle functionality on this wallet: https://ftmscan.com/tokentxns?a=0xb4d7397808a68d440a4a741bc08efbc20ef714a6&p=3 (Apr-12-2022 02:12:09 PM +UTC) he started testing his idea on-chain Specific Attack vector See the transaction that manipulated the oracle price: https://ftmscan.com/tx/0x8589e136e6ad927096d07baa16852d16f11456c0446efb8f1ecd467ce0d4cb10 This is a special swap type that uses the call data field to trick the DEI Lender VWAP oracle into believing the price is different than what it really is. A normal swap would look like this: Amoun0in 10 Amount1in 0 Amount0out 0 Amount1out 1 price 10/1 = 10. You can see Amount1in & Amount0out is 0, the Oracle used Amount0in and Amount1out to calculate the price 10/1 = 10. Abusing call data to spoof the app, someone can craft a Swap that looks like this Amoun0in 10 Amount1in 1 Amount0out 0.9 Amount1out 9 Price 10/9 = 1.111.. manipulating the price calculation in the exploit the call data looked like this: 2035723 / 100010 = so the oracle reported price was ~20 instead of 1. As soon as he realized that using the data field manipulated the price, he transferred 800 ETH from Binance to this account to start the attack and manipulate the prices: https://etherscan.io/address/0x3677b3258b815815e975e65e8e49b3bcb53a6a6c (Apr-15-2022 07:14:58 AM +UTC) he withdrew from Binance He then withdrew the ETH from tornado cash to this address: https://etherscan.io/address/0x700a81265ea72f609eaf9d0f08356c94b1c5af52 (Apr-27-2022 04:15:44 PM +UTC) Then transferred the ETH to this address: https://etherscan.io/address/0x701428525cbac59dae7af833f19d9c3aaa2a37cb Then moved the ETH to fantom: https://ftmscan.com/address/0x701428525cbac59dae7af833f19d9c3aaa2a37cb And started testing the manipulation and prepared his collateral & afterward he manipulated the VWAP, then he needed around ~4 minutes building the final transaction (including the flash loan everyone reported about) and then he executed the exploit. VWAP spoof transaction https://ftmscan.com/tx/0x8589e136e6ad927096d07baa16852d16f11456c0446efb8f1ecd467ce0d4cb10#eventlog (Apr-28-2022 02:36:00 AM +UTC) And Exploit: (Apr-28-2022 02:40:14 AM +UTC) He then transferred everything out via Tornado cash but that is already public knowledge and many reported this: https://rekt.news/deus-dao-rekt-2/ Until now no one else managed to reconstruct how this exploit happened in detail by using call data to spoof the VWAP oracle via Amoun0in 10 Amount1in 0 Amount0out 0 Amount1out 1 price 10/1 = 10. This shows how advanced the reverse engineering of the non-open sourced oracle actually was, hence why we sent an on-chain TX offering the exploiter 20% as a bounty if he returns the funds. Despite our success with the authorities and chain analysis, we think awarding this amount of Bounty is fair for this finding. Despite that offer, we managed to track down, together with Binance, the owner of the initial accounts that funded the hack and froze funds on it. We are in contact with the authorities to proceed. We also worked closely with Lossless in this case and are considering redeploying the DEI token with the LRC20 standard to implement another backstop system. If you want to learn more about the LRC20 standard read here: https://lossless.cash/ https://lossless-cash.gitbook.io/lossless/ We have already taken measures to mitigate the protocol damage even if we are unable to return the funds. Fixes on side of the app deployed on muon: Bugfix the zero-day exploit in Solidly_permissionless_oracle by filtering out for swaps using call data and abstract swap structure. (already done this and enabled withdrawals again, link) Calculate price based on Swap logic and Reserve Values use indexed reserve values emitted through sync to calculate the price sync( reserves) emitted after each tx: based on internal swap logic applied to reserves instead of swaps. (implementation is currently ongoing) another muon app that acts as an aggregator of underlying apps This will aggregate prices across multiple dexes, permissionless. Additionally, we are adding a period of time, limits per Wallet, and also daily global limits. This will make it even more unattractive for attackers to try out and reverse engineer the oracles. Implement fault tolerance price abnormality detection mechanism (https://users.ece.cmu.edu/~koopman/se/icse02.pdf) https://towardsdatascience.com/unsupervised-learning-for-anomaly-detection-in-stock-options-pricing-e599728958c7 Challenger system optimistic rollups use to detect malicious TXs also used in rainbow bridge and TruBit. https://thelayer.xyz/plot-twist-hacker-loses-eth-for-attack-on-a-cross-chain-bridge/ https://muon.gitbook.io/basics/muon-tech/subsequential-consensus Updates on DEUS contract level - block flash loans in combination with muon sigs by not using one muon signature more than once per wallet. - block flash loans in combination with muon sigs by implementing a cool down( a delay between borrow/redeem for each wallet) - add another layer of redundancy by adding Chainlink price feeds when possible in combination with permissionless VWAP. - redeploying DEI as a Lossless LRC20 token.