Euler Finance fell victim to a flash loan attack that resulted in the loss of more than $195 million in stablecoins and ERC-20 tokens.
On March 13, Euler Finance, a noncustodial lending protocol based on Ethereum, was hit by a flash loan attack. This resulted in the theft of millions of dollars in Dai (DAI), USD Coin (USDC), staked Ether (stETH), and wrapped Bitcoin (wBTC). As per the latest update from on-chain data, the attacker carried out multiple transactions and was able to steal almost $196 million, making it the largest hack of 2023 thus far.
The funds stolen include the following:
- DAI (8,877,507.35)
- wBTC (849.14)
- stETH (73,821.42)
- USDC (34,413,863.42)
- stETH (3,897.50)
- stETH (8,099.30)
As per findings by the crypto analytic company Meta Seluth, the recent attack appears to be linked to the deflation attack that occurred a month ago. The attacker leveraged a multichain bridge to transfer the funds from BNB Smart Chain (BSC) to Ethereum and executed the attack today.
This DeFi attack on Euler Finance is one of the most significant hacks of 2023 thus far.
Movement of funds from Euler Finance. Source: Meta Seluth
ZachXBT, another well-known on-chain investigator, confirmed the correlation and stated that the attack’s fund movement and approach bear striking similarities to those of bad actors who recently targeted a BSC-based protocol.
In the previous attack, the attackers deposited the funds into Tornado Cash, a cryptocurrency mixer. Presently, the illicitly obtained funds are residing in the following hacker-controlled addresses:
- 0xebc29199c817dc47ba12e3f86102564d640cbf99 (Contract) – 8,877,507.34 DAI
- 0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4 – 8,080.97 ETH
- 0xb66cd966670d962c227b3eaba30a872dbfb995db – 88,752.69 ETH & 34,186,225.91 DAI
Euler Finance has acknowledged the exploitation and reported that they are working closely with security experts and law enforcement agencies to address the matter.
According to Slowmist, a blockchain security firm that conducted an in-depth analysis of the attack, the attacker utilized flash loans to deposit funds and then proceeded to trigger liquidation by leveraging them twice. After donating the funds to the reserved address, the exploiter performed a self-liquidation to obtain any remaining assets.
The exploit’s success can be attributed to two key factors. Firstly, the funds were donated to the reserved address without undergoing a liquidity check, resulting in a soft liquidation. Secondly, the soft liquidation logic was activated by high leverage, allowing the liquidator to acquire most of the collateral funds from the liquidated user’s account by only transferring a portion of the liabilities to themselves.
The entire process occurred within a single transaction (one per pool) using flash loans obtained from AAVE.
It seems that one of the smart contracts in Euler has a glitch where it fails to verify the health factor during the execution of the donateToReservers() function. As a result, the attacker could liquidate their position from the protocol, repay the flash loan, and generate a substantial profit.
In a funding round last year, Euler Finance secured $32 million in investments from notable entities such as FTX, Coinbase, Jump, Jane Street, and Uniswap. Euler Finance garnered significant attention for its liquid staking derivatives (LSDs) offerings, which enable stakers to unlock liquidity for staked cryptocurrencies like Ether and potentially increase their returns. LSDs are a relatively new type of token, and they now account for up to 20% of the total value locked in decentralized finance protocols.
Euler Finance tries to retrieve the stolen funds
Shortly after the announcement of a $1 million bounty, the illicitly obtained funds were transferred to the cryptocurrency mixer Tornado Cash.
Euler Finance issued a demand for the hacker to return 90% of the stolen funds within a 24-hour period to potentially avoid facing legal consequences.