On March 13th, 2023, the lending protocol Euler Finance suffered a significant blow, as it was targeted in a flash loan attack resulting in losses that could amount up to nine figures. The project recently released details of the attack, shedding light on how the hacker was able to exploit the protocol.
The project shared a post-mortem update on its official Twitter account, in which it described the measures it took to address the issue. These measures included disabling the EToken module, which blocked deposits and the vulnerable donation function that enabled the attack to take place.
An update on our work today to recover funds for Euler protocol users.
Here are a few actions we took immediately:
1. Stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function
2. Engaged TRM… https://t.co/6ZClE9uGoH
— Euler Labs (@eulerfinance) March 14, 2023
The project also engaged TRM Labs, Chainalysis, and the broader Ethereum security community to aid in the investigation and recovery of funds. Furthermore, they notified and shared information with law enforcement agencies in the US and the UK.
The project also tried to contact the perpetrators of the attack to gain more information about its options. An auditing partner of Euler Finance, Omniscia, prepared a technical post-mortem that analyzed the attack in detail.
According to Omniscia’s report, the attacker exploited vulnerable code that enabled them to create an unbacked token debt position by donating funds to the protocol’s reserves. As a result, the attacker was able to liquidate these underwater accounts and profit from the liquidation bonuses. Euler Finance worked with various security groups to perform audits of the protocol, and while the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered.
The vulnerability remained on-chain for eight months until the attack occurred, despite the project offering a $1 million bug bounty program during that time. Euler Finance expressed its devastation at the effect of the attack on its users and pledged to work with its security partners, law enforcement, and the broader community to resolve the issue as best they could.
Unfortunately, the impact of Euler Finance has spread to many other DeFi projects, as all the pieces use the Euler platform to build their products.
Some popular names include:
Balancer: The entity has transferred $11.9 million to Euler in the form of bbeUSD tokens.
Yearn Finance: Estimated losses of $1.38 million.
Angle Protocol: Estimated losses of 17 million USDC.
Yield Protocol: Estimated losses of $1.5 million.
Inverse Finance: $860,000.
Other names such as Mean, Opyn, and Sense also suffered losses.
Sherlock, a leading insurance provider, reported that the losses incurred by Euler Finance amounted to $200 million, with only $3.3 million of the $4.5 million in insured assets being paid out to date.
Unfortunate news@eulerfinance, a Sherlock protocol customer, was hacked earlier today for ~$200M.
Sherlock verified the root cause, helped Euler submit a claim, held a vote on the claim for $4.5M (which passed), and executed $3.3M of the payout today.https://t.co/CT7aBml9bV
— SHERLOCK (@sherlockdefi) March 13, 2023
The firm stated that it verified the root cause of the attack, assisted Euler Finance in submitting a claim, held a vote on the claim, which passed, and executed the payout. Sherlock is one of Euler’s earliest customers and has worked with the project’s auditors in the past.
It is worth noting that the security auditing for Euler Finance was done before Sherlock’s contest model had launched. This meant that only a few talented eyes reviewed the codebase, instead of the 100-200 that typically review projects in current Sherlock audit contests. This has been a painful lesson for everyone involved in the project.
Security is one of the biggest concerns in the DeFi space, and this attack has demonstrated how crucial it is to perform thorough security audits on every project before they go live. While Euler Finance may recover from this attack, the damage to its reputation and the wider DeFi ecosystem is already evident.
This incident highlights the importance of developing and implementing strong security protocols that can withstand the evolving threat landscape in the DeFi space. As the DeFi industry continues to grow and attract more users and investors, it is imperative that projects prioritize security measures to protect users’ funds and the integrity of the entire ecosystem.
Read more:
- Hedera Hashgraph (HBAR) Reports Abnormal Network Activity, Raises Concerns Of Cyberattack
- Euler Finance Hacked: More Than $197 Million In Cryptocurrency Stolen