Since its launch in February 2021, Deri Protcol has been running smoothly. Over the past month, various DeFi projects have been attacked continuously, and the team has further strengthened security inspections in all our operations .
At 10 a.m. on June 1, 2021, SGT time, during the daily security check, the team found an address’ abnormal transactions . After investigation, it was confirmed that the address was trying to profit from the system’s off-chain Oracle rule loopholes.
After assessment of the situation, the team immediately started the emergency response procedures, and took the following actions to ensure the safety of user funds at the first time:
-Suspend the deposit, withdrawal and staking operations of Deri Protocol V1 for all users
-Troubleshoot all abnormal transactions and identify malicious addresses
-Confirm the blacklist of malicious addresses to ensure the safety of funds for ordinary users
Due to timely discovery and response, Deri Protocol confirms the safety of users’ funds. Users can check and confirm the safety of funds in the browser link:
At the beginning of the project, in order to deal with such possible attacks and protect the security of users’ funds, Deri Protocol has set up a liquidity pool migration function in the contract, which can safely migrate users’ funds to another liquidity pool. This time, the team will migrate the existing liquidity pool of V1 according to this rule. The migration process is as follows:
1. Deploy new contract https://bscscan.com/address/0xaf081e1426f64e74117ad5f695d2a80482679de5
2. According to the migration rules, a three-day review window is set for the new contract, and users can check the contract details by themselves.
3. After the three-day review window is over (at 4:15 am on June 4, 2021 UTC), the team will call executeMigration() function in the new contract to migrate the funds and positions in the original liquidity pool.
4. The profit of the malicious address will be returned to the new liquidity pool during the migration process to ensure that user funds are not lost.
5. Post migration, the original liquidity pool will be removed from the Deri Protocol platform, and ordinary users can close positions, deposit and withdraw coins in the new liquidity pool.
️️️Deri Protocol uses a new Oracle solution, and the vulnerability is not applicable in V2.
Although V2 will not have this loophole, because V2 requires users to migrate liquidity, the team decided to wait for V1 to be fixed before going online to V2 to maintain the interests of all platform users. The profit of the malicious address will be returned to the new liquidity pool during the migration process to ensure that user funds are not lost.