@i2huer and @0xtarafans

Produced by PNM x Narya Labs

TL;DR

On March 15, 2022, Deus Finance, a DeFi protocol on Fantom was hacked with a loss of $3M. The attacker exploited a smart contract bug with flash swap and price oracle manipulation.

Transaction

Fantom Transaction Hash (Txhash) Details | FtmScan

Exploit

A functional PoC that can reproduce the attack

postmortem/2022/deus at main · PwnedNoMore/postmortem

Vulnerability

DeiLenderSolidex is a lending protocol:

• The collateral is the deposit token of the LP tokens for Solidex AMM-USDC/DEI . One can get the deposit tokens by staking the LP tokens of Solidex AMM-USDC/DEI at this LP depositor.
• The token one can borrow from the protocol is DEI, a stable coin.

isSolvent() checks whether a user’s position is healthy or not.

function isSolvent(address user) public view returns (bool) {
		// accrue must have already been called!
		uint256 userCollateralAmount = userCollateral[user];
    if (userCollateralAmount == 0) return getDebt(user) == 0;

		return
		    userCollateralAmount.mul(oracle.getPrice()).mul(LIQUIDATION_RATIO) /
		         (uint256(1e18).mul(1e18)) >
        getDebt(user);
}

Oracle is the smart contract used to calculate the price of each deposit token. pair_ is the Solidex AMM for USDC/DEI.

contract Oracle {
    IERC20 public dei;
    IERC20 public usdc;
    IERC20 public pair;

    constructor(
        IERC20 dei_,
        IERC20 usdc_,
        IERC20 pair_
    ) {
        dei = dei_;
        usdc = usdc_;
        pair = pair_;
    }

    function getPrice() external view returns (uint256) {
        return
            ((dei.balanceOf(address(pair)) + (usdc.balanceOf(address(pair)) * 1e12)) *
                1e18) / pair.totalSupply();
    }
}

The value of a deposit token equals to the value of a LP token as calculated by the equation above (depending on how many DEI and USDC there are in the pool). Note that the decimal of USDC is 6 while that of DEI is 18.