Euler Finance has become the latest decentralized finance (DeFi) protocol to fall victim to a flash loan attack, losing $197 million worth of staked ETH, DAI stablecoin, and other tokens.
The attack was first discovered by security researchers at PeckShield, a blockchain security and data analytics firm.
Hi @eulerfinance: you may want to take a look: https://t.co/L7ddZhHNq5
— PeckShield Inc. (@peckshield) March 13, 2023
A separate report by security firm BlockSec revealed that the attackers had stolen £135.8 million ($165 million) worth of Staked Ether, $33.8 million worth of USDC stablecoin, $18.5 million in Wrapped BTC, and $8.7 million in DAI, a decentralized stablecoin.
A detailed breakdown by Singaporean Web 3 security firm Numen Cyber revealed that the attackers exploited a vulnerability in the platform’s ‘donateToReserves’ function, which lacks liquidity checks. Having borrowed 30 million DAI from Aave through a flash loan, they executed a series of transactions that ultimately ended up draining nearly $200 million from the protocol.
Euler Finance failed to implement ‘checkLiquidity’ on its ‘donateToReserves’ function; this allowed users to “first put themselves in a state of liquidation through certain functions of the protocol, and then complete the liquidation,” Numen revealed.
The Singaporean security firm was able to reproduce the attack.
We successfully reproduced the attack. Detailed attack analysis coming soon #eulerfinance https://t.co/mDjcSqDyuk pic.twitter.com/kfTbWKTl3O
— NumenAlert Ⓝ (@NumenAlert) March 13, 2023
Euler Finance at first claimed to be looking into the incident, but it later owned up to the attack. In an update hours later, the protocol’s developers claimed to have stopped the attack and engaged security firms Chainalysis and TRM Labs for assistance. They also notified U.S. and U.K. law enforcement agencies.
“We also contacted those responsible for the attack to see if we might learn more about our options,” they said.
Euler further claimed to have been audited by “various security groups,” none of whom unearthed the vulnerability.
“The vulnerability remained on-chain for eight months until it was exploited today, despite a $1M bug bounty being in place during that time,” it noted.
Most stolen funds are still being held on the attackers’ wallet address. However, London-based security firm Elliptic says the attackers have started laundering some of the funds through Tornado Cash, the decentralized coin mixer built on Ethereum that has been sanctioned by the U.S. government. The mixer’s developer, Alexey Pertsev, was arrested in 2022 by Dutch police and remains in jail.
The Euler Finance attack is the largest in the digital asset world this year, but only ranks 26th in the all-time list, as per De.Fi, a database that tracks funds lost to digital asset platforms. Cumulatively, over $75 billion has been lost since 2011.
Watch: Small Payments, Big Fun:Micropayments for Casual Games
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.