Demex Nitron Lending Market Oracle Manipulation Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Dem Exchange (Demex) Logo/Homepage

Demex is a decentralized finance platform offering high-leverage perpetual trading and flexible yield-earning options like lending, staking, and liquidity pools, all supported by fast execution and deep liquidity via their proprietary DemexBFT consensus. However, the platform suffered a major exploit when an attacker manipulated a deprecated vault’s pricing oracle to inflate asset values, enabling them to steal nearly $950,000. The vulnerability stemmed from missing safeguards and incomplete auditing. In response, Demex is actively working to recover funds, pausing interest accrual, and launching a hybrid restitution plan with the nLEND recovery token to compensate affected users. They are also enhancing security with new withdrawal safeguards and circuit breakers, pausing lending until stricter protocols are in place, and remain focused on restoring trust and platform stability.[1][2][3][4][5]

About Demex

Demex positions itself as an all-in-one decentralized finance (DeFi) platform, offering both high-performance trading and yield-earning opportunities. Users can trade perpetual contracts with up to 100x leverage across top crypto markets like ETH, BTC, and BNB, while enjoying fast execution, deep liquidity, and low fees—all powered by DemexBFT, a proprietary consensus mechanism optimized for speed and security. On the earning side, users can participate in lending, liquidity pools, and staking without lock-up periods, benefiting from flexible, on-chain income with competitive APYs.

The platform currently supports 280 markets, with over $5.5 million in total value locked and more than $140,000 in 24-hour trading volume. Demex also supports cross-chain liquidity, allowing users to earn and trade across multiple blockchain ecosystems. Upcoming features in their roadmap include the launch of the $DMX token, multi-collateral support, advanced order types, and integration with centralized exchanges and Web3 wallets. By combining fast, decentralized trading with robust yield-generation tools, Demex aims to be a one-stop destination for both professional traders and passive crypto earners.

The Reality

Unfortunately, the Demex smart contract contained a vulnerability where a deprecated vault’s pricing oracle could be manipulated through donation-based attacks. This flaw allowed an attacker to artificially inflate the vault’s token redemption rate, which was then reflected across lending markets as an inflated asset price.

What Happened

An attacker exploited a vulnerability in Demex’s deprecated dGLP vault by manipulating its oracle pricing through a donation-based attack, allowing them to borrow and steal assets.

Key Event Timeline - Demex Nitron Lending Market Oracle Manipulation Exploit
Date Event Description
May 15th, 2025 5:15:11 PM MDT Attacker Moved Wrapped Bitcoin The attacker moves wrapped bitcoin to their Ethereum address (which is later contacted).
May 15th, 2025 10:18:27 PM MDT Demex Exchange Blog Post Demex posts a post-mortem detailing a $950,559 exploit on its Nitron lending platform, caused by a donation-based oracle manipulation attack on a deprecated dGLP vault with low TVL. The attacker inflated dGLP prices via the vault, used it as collateral, and withdrew real assets. The failure stemmed from a missing price cap safeguard and improper contract auditing. Demex acknowledges full responsibility and is tracing funds, pausing interest, and preparing a restitution plan. Stricter safeguards and reviews are promised before any potential Nitron relaunch.
May 16th, 2025 12:02:35 AM MDT Bounty Offered To Hacker The hacker is offered a bounty via an Ethereum blockchain message.
May 19th, 2025 4:53:40 AM MDT Update And Recovery Plan Demex shares an update for their community. Demex has provided an in-depth update outlining recovery efforts, restitution plans, and their roadmap for moving forward. They began by contacting the attacker with a $120,000 bounty offer for the return of stolen funds, warning of legal action if unresponsive. So far, Demex has recovered $78,066 (8.2% of the total stolen amount) through coordination with infrastructure partners and exchanges, with ongoing efforts to recover more.

Technical Details

Demex's post-incident analysis identified the root cause of the exploit as a donation-driven oracle manipulation attack that exploited vulnerabilities in the deprecated dGLP vault.

The exploit on Demex’s Nitron lending platform was rooted in an oracle manipulation attack targeting the deprecated dGLP vault, which had a very low total value locked (TVL) after most users had withdrawn. The attacker donated a small amount of fsGLP to the nearly empty vault, which manipulated the internal accounting and significantly inflated the GLP redemption rate. Since the vault was no longer in active use and poorly monitored, this manipulation went unnoticed.

Demex’s oracle, tasked with pricing dGLP, accepted the artificially inflated redemption rate and propagated it across the Nitron markets. The attacker then used the falsely high dGLP value as collateral to borrow legitimate assets from other users. Once the assets were withdrawn, the attacker exited the system, effectively stealing nearly $1 million in user funds.

A critical component of this failure was the design and oversight of the oracle system. Although the dGLP contract had been audited, the review did not account for its use in pricing data for an oracle. Additionally, a safeguard that was supposed to cap dGLP’s price at $2 was never implemented, and this omission was not caught during internal reviews. Had these controls been in place—such as using only deposits in redemption rate calculations and enforcing the price cap—the exploit likely would have been prevented.

Total Amount Lost

Demex reports the amount of loss at $950,559. This figure was copied by SlowMist in their summary publication about the incident. The majority of this amount came from an asset called milkTIA.

The total amount lost has been estimated at $951,000 USD.

Immediate Reactions

In response to the exploit, Demex is taking several immediate actions to manage the aftermath and prevent future incidents. The team is actively tracing the attacker’s addresses across multiple blockchains and working with exchanges and infrastructure partners to freeze or potentially recover stolen funds. To prevent further financial strain on users, interest payments on affected assets are being paused, ensuring that borrowers don’t accumulate additional debt during this period.

Ultimate Outcome

The Nitron exploit has led to significant changes in how Demex approaches recovery, user compensation, and platform security. While approximately $950,000 was lost in the attack, Demex has managed to recover a small portion of the funds and is pursuing further recovery efforts through legal channels and collaboration with ecosystem partners. In response, the team has introduced a hybrid restitution plan centered around a new recovery token, nLEND, which gives affected lenders a transparent claim on unrecovered funds with options to redeem for USDC or convert to DMX in the future, offering potential upside.

Total Amount Recovered

To fairly compensate affected users, Demex is introducing nLEND, a recovery token representing a $1 claim on unrecovered funds. Users whose lent assets were lost will receive nLEND in proportion to their losses, using prices fixed on the exploit date. These tokens will be redeemable for USDC through a dynamic redemption pool, starting at ~$0.082 per nLEND based on current recoveries. Redemption rates will adjust with further recovery or top-ups, and users who redeem early forfeit future claims on those tokens.

In a show of commitment, Demex will allocate at least 25% of any fundraising efforts toward topping up the redemption pool. If full recovery isn't achieved within a year, any remaining nLEND can be converted to DMX, Demex’s native token, at a 150% rate — calculated using the lower of DMX’s launch or one-year price. This hybrid recovery structure allows users to choose between early redemption or waiting for potential upside.

Demex emphasizes that using all treasury funds for immediate repayment would cripple future recovery efforts and harm the broader platform ecosystem. Instead, their recovery plan seeks to balance the needs of affected lenders with the long-term viability of Demex. Upcoming developments include an on-chain upgrade to support nLEND, new withdrawal safeguards, and the cautious rollout of cross-margin trading. Nitron lending will remain paused until a redeployment under stricter conditions in "Nitron v2." The Demex team reiterates their accountability and ongoing commitment to rebuilding trust and platform integrity.

The total amount recovered has been estimated at $78,000 USD.

Ongoing Developments

Demex is in the process of implementing stricter withdrawal safeguards and introducing on-chain, TVL-based circuit breakers. These measures aim to prevent similar manipulation attempts by halting suspicious activity automatically based on real-time protocol conditions.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Nitron Exploit Post-Mortem: What Happened, What Was Lost, and What’s Next - Demex Blog (Accessed May 28, 2025)
  2. Nitron Exploit Update: Recovery, Restitution & Next Steps - Demex Blog (Accessed May 28, 2025)
  3. Dem Exchange Homepage (Accessed May 28, 2025)
  4. Dem Exchange Offers Hacker A $120k Bounty - Etherscan (Accessed May 28, 2025)
  5. Attacker Moving 0.9611 Wrapped Bitcoin - Etherscan (Accessed May 28, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Demex_Nitron_Lending_Market_Oracle_Manipulation_Exploit&oldid=6755"