# Attack Details

### Attack Details:

**By exploiting the DEI token implementation bug, the attacker could manipulate allowances, transfer DEI out of the pair, and swap it for a significant amount of USDC.** 

The series of events led to the massive security breach and loss of user funds on the Chronos Exchange on the Arbitrum platform, as well as on all other exchanges on which the DEI token was listed.

An in-depth examination of the attack can be found by analyzing the following Arbitrum transaction: <https://explorer.phalcon.xyz/tx/arbitrum/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef?line=25>

#### Here is a simplified explanation of the attacker's method and steps taken:

1. First, the attacker takes advantage of the bug in the DEI token implementation, which allows them to increase the allowance for any DEI holder. Consequently, the attacker can move any $DEI funds.

#### Step 1: The attacker calls DEI.burnFrom(spender = sAMM Pair, amount = 0).

The burnFrom implementation involves the approve implementation, where \_approve(sAMM, attacker, currentAllowance) is called. That allowed the attacker to spend any 'currentAllowance' from the sAMM Pair.

Link to the source code:\
<https://bscscan.com/address/0x1472b3081d81b792e697aea90accbbc4adc5baf9#code#F5#L308>

`_allowances[_msgSender()][account]`&#x20;

should be&#x20;

`_allowances[account][msgSender()]`

### The exploitable burnFrom function:

{% code fullWidth="true" %}

```
    function burnFrom(address account, uint256 amount) public virtual {
        uint256 currentAllowance = _allowances[_msgSender()][account];
        _approve(account, _msgSender(), currentAllowance - amount);
        _burn(account, amount);
    }
```

{% endcode %}

### The related \_approve function:

{% code lineNumbers="true" fullWidth="true" %}

```
function _approve( 
address owner, 
address spender, 
uint256 amount 
) internal virtual { 
_allowances[owner][spender] = amount; 
emit Approval(owner, spender, amount); 
}
```

{% endcode %}

### Step 2: The attacker abuses the broken `burnFrom` to increase his allowance & `transferFrom` all DEI out of the pair.

<figure><img src="https://806199106-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdyazboS534fLJtmUAkRQ%2Fuploads%2FFOLk5MzkgD3IQW8aq4rL%2Fphoto_2023-05-13_00-07-36%20(3).jpg?alt=media&#x26;token=85b06d27-5e77-4bc8-90bd-f1d17b2d748f" alt=""><figcaption></figcaption></figure>

### Step 3: The attacker calls sAMM.sync()&#x20;

which recalculates the reserves based on the token balances.&#x20;

After calling `sync`,&#x20;

DEI `reserve0` is 1,&#x20;

USDC `reserve1` is 5,047,470,472,573.

<figure><img src="https://806199106-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdyazboS534fLJtmUAkRQ%2Fuploads%2F92V4TgsnBq2yy8iZjRO6%2FsAMM.sync%20.jpg?alt=media&#x26;token=6169eed9-0ea2-4820-9e80-4769221ca7de" alt=""><figcaption></figcaption></figure>

#### Step 4:

* The attacker calls swap() and trades the difference. Now, 0 DEI is worth 5 million USDC.

Call swap() and trade the difference; 0 DEI is worth 5M USDC now.

<figure><img src="https://806199106-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdyazboS534fLJtmUAkRQ%2Fuploads%2F28aRZZujA97tbgyrjeQ3%2FSwap.jpg?alt=media&#x26;token=b9d65a1b-51f4-483c-8cf9-3c3ac037bd4d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://806199106-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdyazboS534fLJtmUAkRQ%2Fuploads%2F3noZPDJLfZnMSio8YXaf%2FSwap%20%26%20calldata.jpg?alt=media&#x26;token=21a1bf9f-b067-41a4-8bf0-d4c0d9c511bc" alt=""><figcaption></figcaption></figure>

### Step 5: The attacker transfers DEI back&#x20;

This step allowed for massive further damages.&#x20;

<figure><img src="https://806199106-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdyazboS534fLJtmUAkRQ%2Fuploads%2Fgbk6z2oXAA4wacf7BlpL%2FDEI%20transfer.jpg?alt=media&#x26;token=7221bbb8-9ef2-4ce9-9dda-b7b1213aeb0d" alt=""><figcaption></figcaption></figure>

This step allows for massive, massive further damages.&#x20;

Attackers' accrued profits of approximately $5 million, yet the consequential damages far exceed this figure, estimated to be between $8-10 million based on our current analysis. (before recovering funds, check recovery [here](https://docs.deus.finance/contracts/reimbursement-guide/dei-depeg/..#recovering-funds))

Based on this step, we conjecture that the attacker opted for a rushed approach, likely fearing that someone else might discover the bug or that his main target was causing maximum damage.

Read more about it [here.](https://docs.deus.finance/contracts/reimbursement-guide/dei-depeg/incident-analytic-summary/..#exploiter-profile)<br>

### Relevant Links:

1. Transaction leading to the hack:[ https://arbiscan.io/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef](https://arbiscan.io/tx/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef)
2. Address holding funds after the attacker swapped USDC to WETH:[ https://arbiscan.io/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1](https://arbiscan.io/address/0x189cf534de3097c08b6beaf6eb2b9179dab122d1)