BSV
$69.06
Vol 75.88m
-4.14%
BTC
$98160
Vol 58852.09m
-0.13%
BCH
$512.87
Vol 794.74m
0.21%
LTC
$96.87
Vol 1201.62m
-3.54%
DOGE
$0.42
Vol 11015.82m
-1.96%
Getting your Trinity Audio player ready...

Euler Finance has become the latest decentralized finance (DeFi) protocol to fall victim to a flash loan attack, losing $197 million worth of staked ETH, DAI stablecoin, and other tokens.

The attack was first discovered by security researchers at PeckShield, a blockchain security and data analytics firm.

A separate report by security firm BlockSec revealed that the attackers had stolen £135.8 million ($165 million) worth of Staked Ether, $33.8 million worth of USDC stablecoin, $18.5 million in Wrapped BTC, and $8.7 million in DAI, a decentralized stablecoin.

A detailed breakdown by Singaporean Web 3 security firm Numen Cyber revealed that the attackers exploited a vulnerability in the platform’s ‘donateToReserves’ function, which lacks liquidity checks. Having borrowed 30 million DAI from Aave through a flash loan, they executed a series of transactions that ultimately ended up draining nearly $200 million from the protocol.

Euler Finance failed to implement ‘checkLiquidity’ on its ‘donateToReserves’ function; this allowed users to “first put themselves in a state of liquidation through certain functions of the protocol, and then complete the liquidation,” Numen revealed.

The Singaporean security firm was able to reproduce the attack.

Euler Finance at first claimed to be looking into the incident, but it later owned up to the attack. In an update hours later, the protocol’s developers claimed to have stopped the attack and engaged security firms Chainalysis and TRM Labs for assistance. They also notified U.S. and U.K. law enforcement agencies.

“We also contacted those responsible for the attack to see if we might learn more about our options,” they said.

Euler further claimed to have been audited by “various security groups,” none of whom unearthed the vulnerability.

“The vulnerability remained on-chain for eight months until it was exploited today, despite a $1M bug bounty being in place during that time,” it noted.

Most stolen funds are still being held on the attackers’ wallet address. However, London-based security firm Elliptic says the attackers have started laundering some of the funds through Tornado Cash, the decentralized coin mixer built on Ethereum that has been sanctioned by the U.S. government. The mixer’s developer, Alexey Pertsev, was arrested in 2022 by Dutch police and remains in jail.

The Euler Finance attack is the largest in the digital asset world this year, but only ranks 26th in the all-time list, as per De.Fi, a database that tracks funds lost to digital asset platforms. Cumulatively, over $75 billion has been lost since 2011.

Watch: Small Payments, Big Fun:Micropayments for Casual Games

Recommended for you

Lido DAO members liable for their actions, California judge rules
In a ruling that has sparked outrage among ‘Crypto Bros,’ the California judge said that Andreessen Horowitz and cronies are...
November 22, 2024
How Philippine Web3 startups can overcome adoption hurdles
Key players in the Web3 space were at the Future Proof Tech Summit, sharing their insights on how local startups...
November 22, 2024
Advertisement
Advertisement
Advertisement