About Demex Whitepaper
About Demex Whitepaper
By Demex

Nitron Exploit Post-Mortem: What Happened, What Was Lost, and What’s Next

On May 16th, Demex's lending markets (Nitron) were exploited, resulting in a loss of $950,559 in user funds. The exploit was isolated to Nitron — no user funds in spot or perpetual trading were affected, and those services remain fully operational.

This post outlines what happened, how it could have been prevented, and what we’re doing in response.

🚨 What Happened

The root cause of the exploit was a donation-based oracle manipulation attack on the deprecated dGLP vault, which had very low TVL at the time.

Here’s how the attacker executed the exploit:

  1. Donated some fsGLP to the dGLP vault, which manipulated the vault’s accounting and artificially inflated the GLP redemption rate. This was easily done due to the fact that the vault was deprecated and had a very low TVL as most users had withdrawn.
  2. The Demex oracle, which was responsible for pricing dGLP, then reflected this manipulated value across Nitron markets.
  3. The attacker used the inflated dGLP price as collateral to borrow real assets from Nitron lenders.
  4. They then withdrew the borrowed assets and exited with a profit.

🛑 Why the Oracle Failed

While the dGLP contract was audited, it was done not in the context of being used as a oracle. We should have informed the auditors of this and the issue might have been caught then. The contract could have been fixed by using only deposits rather than the total supply in the contract when calculating its redemption rate.

An oracle safeguard was also intended but tragically never implemented.

  • The oracle was designed to cap dGLP’s price at $2.
  • This safeguard was meant to be manually adjusted if the cap was reached, which would act as a stopgap against unforeseen manipulation.
  • Unfortunately, this was never implemented by the developer, and the omission was not caught during review.

Had the cap been properly in place — especially in combination with the low dGLP Loan-To-Value (LTV) allowance — the attacker would not have been able to profit from the manipulation.

Finally, we should have set the LTV and supply cap for dGLP on Nitron to zero when the vault was deprecated since it was no longer in use.

This is a serious failure in both implementation and auditing that we take full responsibility for.

📉 Total Funds Lost

The total amount exploited was $950,559 across the following assets:

The majority of this amount came from milkTIA, alongside smaller portions of other lent assets.

🛠️ What We’re Doing Now

  • Tracing Funds: The attacker’s addresses are being monitored across chains. We are actively coordinating with exchanges and infrastructure partners in an attempt to freeze or recover funds where possible.
  • Pausing Interest Payments: We will set interest on assets to zero so borrowers do not accumulate debt rapidly.
  • Restitution Plan: We are currently discussing options for restitution and will share a proposal by Monday, May 19th UTC+8.
  • Withdraw Safeguards: We are introducing stricter withdrawal protections and on-chain TVL-based circuit breakers to mitigate similar attacks in the future.

🔮 Will Nitron Resume?

We are currently discussing whether Nitron should be relaunched.

If we move forward:

  • TVL-based limits and circuit breakers will be implemented so such exploits can be automatically mitigated.
  • All assets will undergo stricter caps and hard-coded sanity checks.
  • All oracles will undergo a regular review of their spec and implementation.

Nitron will remain paused at least until the restitution plan is confirmed, and on-chain adjustments made to allow lenders to withdraw available assets and borrowers to repay debt.

💬 Final Thoughts

We are deeply sorry for this incident. The responsibility lies with us — We’re taking this breach of trust seriously and are committed to making it right.

To everyone affected: we will keep fighting for accountability and restitution. You’ll hear from us again soon with a full proposal.

Thank you for your patience,
The Demex Team