Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 137Smart Contract Bug

DEUS DAO DEI Stablecoin Mint

DEUS DAO's third incident drained $6.5M across BNB, Arbitrum and Ethereum via a flaw in DEI's burnFrom/approval logic that let attackers abuse allowances.

Date
Victim
DEUS Finance
Chain(s)
BNB ChainArbitrumEthereum
Status
Funds Stolen

On May 5, 2023, DEUS Finance / DEUS DAO suffered its third major exploit in roughly fourteen months — approximately $6.5 million drained across BNB Chain, Arbitrum and Ethereum through a flaw in the DEI stablecoin contract's burnFrom/allowance logic.

What happened

DEUS's DEI stablecoin contract contained a vulnerability in how it handled burnFrom and allowances. The specific flaw allowed the attacker to manipulate the relationship between recorded allowances and balances such that they could extract value from the DEI contract and associated pools across the three chains where DEI was deployed.

The attack drained the largest amount on BNB Chain (~$5.45M), with smaller amounts on Arbitrum and Ethereum. DEI depegged sharply as the unbacked extraction hit the market.

This was, definitively, DEUS DAO's third incident:

  • March 2022 (~$3M) — oracle manipulation.
  • April 2022 ($13.4M) — Solidly StableV1 oracle manipulation.
  • May 2023 ($6.5M) — DEI contract burnFrom/allowance flaw.

Aftermath

  • DEUS paused affected contracts and announced (again) a compensation plan.
  • DEI's peg was not durably restored; the protocol's credibility was effectively exhausted by the third incident.
  • The stolen funds were laundered through cross-chain routes and Tornado Cash.

Why it matters

DEUS DAO is the catalogue's clearest multi-incident fragility case study — three major exploits across two years, each through a different specific mechanism but all reflecting the same systemic reality: a team whose post-incident remediation repeatedly addressed the specific bug rather than the systemic security deficit.

The recurring lesson from repeat-incident protocols (DEUS three times, Cream Finance three times in 2021, Abracadabra three times in 2024-2025, ALEX Lab twice) is consistent:

The first exploit is a data point. The second is a pattern. The third is a verdict. A protocol that has been exploited twice and is exploited a third time is demonstrating that its security culture, not any individual bug, is the problem — and at that point continued user trust is, empirically, misplaced.

DEUS DAO's trajectory — oracle bug, oracle bug, stablecoin-contract bug, each "fixed," each followed by another — is the canonical illustration that shipping velocity without a corresponding security-culture investment produces a predictable sequence of incidents, and that the market's willingness to keep depositing after the second incident is one of DeFi's recurring, expensive irrationalities.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-deus-dao-hack-may-2023
  2. [02]crypto.newshttps://crypto.news/deus-finance-hacked-over-6m-dei-stablecoin-stolen/
  3. [03]rekt.newshttps://rekt.news/deus-dao-r3kt/

Related filings