DeFi protocol DEUS Finance lost more than $6 million in a hack over the weekend which exploited a vulnerability in the stablecoin DEI, but a large chunk of it has now been recovered.
According to blockchain security firm PeckShield, the attack targeted DEUS Finance’s own stablecoin DEI on the networks BNB Smart Chain and Arbitrum.
DEI, which is supposed to be pegged at $1, hasn’t traded at its intended peg since May of last year, and at the time of writing the price stood at $0.28, data from CoinMarketCap shows.
Public burn attack
The BNB Smart Chain attack was reportedly carried out thanks to a so-called public burn vulnerability, leading to a loss of more than $1.3 million from the blockchain, PeckShield wrote in a tweet this weekend.
Additionally, the attack also targeted Arbitrum, leading to a loss of more than $5 million from that network.
Arbitrum is a layer 2 scaling solution for Ethereum, and the network operates with its own ARB token.
Further details about the attack were also shared in PeckShield’s tweet:
Other users also shared details on the attack, with one user claiming the root cause was a “basic implementation error in the token contract.”
The same that pointed out the cause of the attack also said he has taken part in efforts to recover some of the lost funds, saying he is attempting to use so-called white hat hacking techniques to recover some of the funds.
He added a day later that recovered funds have been sent to a special wallet managed by DeFi developer @lafachief and “trusted members” of the Yearn Finance DeFi project.
Confirmation that recovered funds had been collected was later shared on Twitter by the team behind DEUS, saying it is now held in a multi-signature wallet.
At the time of writing, the wallet referred to holds 2,023 ETH tokens, worth some $3.8 million. The ETH was received from an address marked as “Deus DEI Exploiter” on Sunday.
Additionally, the wallet holds $158,857 worth of DEUS tokens and $702,370 worth of the stablecoin USDC.
It remains unknown at this point whether the rest of the missing funds will be recovered, and if affected users can count on being made whole.