QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$951 000 USD
MAY 2025
GLOBAL
DEM EXCHANGE (DEMEX)
DESCRIPTION OF EVENTS
Demex positions itself as an all-in-one decentralized finance (DeFi) platform, offering both high-performance trading and yield-earning opportunities. Users can trade perpetual contracts with up to 100x leverage across top crypto markets like ETH, BTC, and BNB, while enjoying fast execution, deep liquidity, and low fees—all powered by DemexBFT, a proprietary consensus mechanism optimized for speed and security. On the earning side, users can participate in lending, liquidity pools, and staking without lock-up periods, benefiting from flexible, on-chain income with competitive APYs.
The platform currently supports 280 markets, with over $5.5 million in total value locked and more than $140,000 in 24-hour trading volume. Demex also supports cross-chain liquidity, allowing users to earn and trade across multiple blockchain ecosystems. Upcoming features in their roadmap include the launch of the $DMX token, multi-collateral support, advanced order types, and integration with centralized exchanges and Web3 wallets. By combining fast, decentralized trading with robust yield-generation tools, Demex aims to be a one-stop destination for both professional traders and passive crypto earners.
Unfortunately, the Demex smart contract contained a vulnerability where a deprecated vault’s pricing oracle could be manipulated through donation-based attacks. This flaw allowed an attacker to artificially inflate the vault’s token redemption rate, which was then reflected across lending markets as an inflated asset price.
Demex's post-incident analysis identified the root cause of the exploit as a donation-driven oracle manipulation attack that exploited vulnerabilities in the deprecated dGLP vault.
The exploit on Demex’s Nitron lending platform was rooted in an oracle manipulation attack targeting the deprecated dGLP vault, which had a very low total value locked (TVL) after most users had withdrawn. The attacker donated a small amount of fsGLP to the nearly empty vault, which manipulated the internal accounting and significantly inflated the GLP redemption rate. Since the vault was no longer in active use and poorly monitored, this manipulation went unnoticed.
Demex’s oracle, tasked with pricing dGLP, accepted the artificially inflated redemption rate and propagated it across the Nitron markets. The attacker then used the falsely high dGLP value as collateral to borrow legitimate assets from other users. Once the assets were withdrawn, the attacker exited the system, effectively stealing nearly $1 million in user funds.
A critical component of this failure was the design and oversight of the oracle system. Although the dGLP contract had been audited, the review did not account for its use in pricing data for an oracle. Additionally, a safeguard that was supposed to cap dGLP’s price at $2 was never implemented, and this omission was not caught during internal reviews. Had these controls been in place—such as using only deposits in redemption rate calculations and enforcing the price cap—the exploit likely would have been prevented.
Demex reports the amount of loss at $950,559. This figure was copied by SlowMist in their summary publication about the incident. The majority of this amount came from an asset called milkTIA.
In response to the exploit, Demex is taking several immediate actions to manage the aftermath and prevent future incidents. The team is actively tracing the attacker’s addresses across multiple blockchains and working with exchanges and infrastructure partners to freeze or potentially recover stolen funds. To prevent further financial strain on users, interest payments on affected assets are being paused, ensuring that borrowers don’t accumulate additional debt during this period.
The Nitron exploit has led to significant changes in how Demex approaches recovery, user compensation, and platform security. While approximately $950,000 was lost in the attack, Demex has managed to recover a small portion of the funds and is pursuing further recovery efforts through legal channels and collaboration with ecosystem partners. In response, the team has introduced a hybrid restitution plan centered around a new recovery token, nLEND, which gives affected lenders a transparent claim on unrecovered funds with options to redeem for USDC or convert to DMX in the future, offering potential upside.
To fairly compensate affected users, Demex is introducing nLEND, a recovery token representing a $1 claim on unrecovered funds. Users whose lent assets were lost will receive nLEND in proportion to their losses, using prices fixed on the exploit date. These tokens will be redeemable for USDC through a dynamic redemption pool, starting at ~$0.082 per nLEND based on current recoveries. Redemption rates will adjust with further recovery or top-ups, and users who redeem early forfeit future claims on those tokens.
In a show of commitment, Demex will allocate at least 25% of any fundraising efforts toward topping up the redemption pool. If full recovery isn't achieved within a year, any remaining nLEND can be converted to DMX, Demex’s native token, at a 150% rate — calculated using the lower of DMX’s launch or one-year price. This hybrid recovery structure allows users to choose between early redemption or waiting for potential upside.
Demex emphasizes that using all treasury funds for immediate repayment would cripple future recovery efforts and harm the broader platform ecosystem. Instead, their recovery plan seeks to balance the needs of affected lenders with the long-term viability of Demex. Upcoming developments include an on-chain upgrade to support nLEND, new withdrawal safeguards, and the cautious rollout of cross-margin trading. Nitron lending will remain paused until a redeployment under stricter conditions in "Nitron v2." The Demex team reiterates their accountability and ongoing commitment to rebuilding trust and platform integrity.
Demex is in the process of implementing stricter withdrawal safeguards and introducing on-chain, TVL-based circuit breakers. These measures aim to prevent similar manipulation attempts by halting suspicious activity automatically based on real-time protocol conditions.
Demex is a decentralized finance platform offering high-leverage perpetual trading and flexible yield-earning options like lending, staking, and liquidity pools, all supported by fast execution and deep liquidity via their proprietary DemexBFT consensus. However, the platform suffered a major exploit when an attacker manipulated a deprecated vault’s pricing oracle to inflate asset values, enabling them to steal nearly $950,000. The vulnerability stemmed from missing safeguards and incomplete auditing. In response, Demex is actively working to recover funds, pausing interest accrual, and launching a hybrid restitution plan with the nLEND recovery token to compensate affected users. They are also enhancing security with new withdrawal safeguards and circuit breakers, pausing lending until stricter protocols are in place, and remain focused on restoring trust and platform stability.
Nitron Exploit Post-Mortem: What Happened, What Was Lost, and What’s Next - Demex Blog (May 28)
Nitron Exploit Update: Recovery, Restitution & Next Steps - Demex Blog (May 28)
Dem Exchange Homepage (May 28)
Dem Exchange Offers Hacker A $120k Bounty - Etherscan (May 28)
Attacker Moving 0.9611 Wrapped Bitcoin - Etherscan (May 28)
