Deus DAO: Dual oracle manipulation — VWAP oracle pre-poisoned via flash swap, then on-chain AMM oracle manipulated via flash loan — to inflate DEI collateral value and borrow far beyond real collateral worth

Summary #

Deus DAO suffered a Algorithmic Stablecoin / Lending on 2022-04-28, resulting in a loss of approximately $13M.

What happened #

Deus DAO was hit for $13.4M in a sequel exploit that defeated both their on-chain AMM oracle and their newly integrated off-chain VWAP oracle by abusing an unfiltered Solidly flash swap to poison the VWAP 4 minutes before the main attack.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: YES** — the pre-poisoning transaction creates an anomalous USDC/DEI price movement on Solidly; a monitor watching for large sudden DEI price...]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: No specific fork origin noted]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: YES** — the Muon oracle was newly integrated specifically after the first exploit as a security fix (announced live March 19, 2022; exploite...]