Euler Finance hacked for over $195M in a flash loan attack
According to on-chain data, the attacker stole nearly $196 million, making this attack the largest hack of 2023.
Euler Finance, an Ethereum-based noncustodial lending protocol, suffered a flash loan attack on March 13th, resulting in the theft of millions of Dai, USD Coin, staked Ether, and wrapped Bitcoin. According to on-chain data, the attacker stole nearly $196 million, making this attack the largest hack of 2023.
The attacker used a multichain bridge to transfer funds from the BNB Smart Chain (BSC) to Ethereum and launched the attack. The stolen funds are currently sitting in the hacker’s addresses.
Euler Finance acknowledged the exploit and is working with security professionals and law enforcement to resolve the issue.
Blockchain security firm Slowmist conducted a detailed analysis of the attack, indicating that the attacker used flash loans to deposit funds and then leveraged them twice to trigger liquidation. The exploiter donated the funds to the reserved address and conducted a self-liquidation to collect any remaining assets.
Two factors contributed to the success of the exploit:
- Firstly, the funds were donated to the reserved address without being subjected to a liquidity check, triggering soft liquidation.
- Secondly, the soft liquidation logic was triggered by high leverage, enabling the liquidator to obtain most of the collateral funds from the liquidated user’s account by transferring only a portion of the liabilities to themselves.
Solutions developer Gustavo Gonzalez of blockchain security firm OpenZeppelin explained that there appears to be a bug in one of the Euler smart contracts, where it doesn’t check for the health factor when executing the donateToReservers() function.
It all happened in one transaction (one per pool) using flashloans from AAVE. He explained:
“There appears to be a bug in one of the Euler smart contracts, where it doesn’t check for the health factor when executing the donateToReservers() function. Because of that, the attacker was able to liquidate himself from the protocol, repay the flashloan and make a huge profit.”
Euler Finance became popular for offering liquid staking derivatives (LSDs) services. Currently, LSDs make up to 20% of the total value locked in decentralized finance protocols. Euler Finance raised $32 million in a funding round last year that saw participation from FTX, Coinbase, Jump, Jane Street, and Uniswap.
This attack highlights the importance of conducting regular security audits and implementing robust security measures to prevent such attacks. It also underscores the need for caution when participating in the decentralized finance (DeFi) space, as these types of attacks are not uncommon. Users should do their due diligence before using any DeFi protocol and consider the risks involved.
The stolen funds are currently sitting in the following hacker addresses:
- 0xebc29199c817dc47ba12e3f86102564d640cbf99 (Contract) — 8,877,507.34 DAI
- 0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4–8,080.97 ETH
- 0xb66cd966670d962c227b3eaba30a872dbfb995db — 88,752.69 ETH & 34,186,225.91 DAI
