On March 13, 2023, a flash loan assault on Euler Finance led to the loss of hundreds of millions of fake ERC-20 tokens and decentralized stablecoins.
What is Euler?
Euler is a non-custodial permissionless lending protocol on Ethereum that enables users to hedge against turbulent markets or earn interest on their crypto assets without the aid of a reliable third party.
The Ethereum blockchain has a collection of smart contracts called Euler, which are publicly accessible to anybody with an internet connection. Owners of the Euler Governance Token, a protocol native governance token, control Euler (EUL). Users are solely in charge of their financial management on Euler, which is completely non-custodial. Know more about Euler
What exactly is a flash loan?
Smart contracts that perform flash loans let parties swiftly borrow money without putting up any security. These loans, however, are subject to full repayment within the same transaction, or the entire transaction, including the loan, would be canceled. For DeFi traders aiming to maximize arbitrage chances, flash loans are appealing. They are frequently employed in self-liquidation and the shifting of collateral.
Flash loans have a variety of useful applications, but they can also be used by hackers to alter the pricing oracles of DeFi protocols. They achieve this by borrowing enormous sums of money without providing any collateral so they may influence token values, usually by purchasing or selling large quantities of tokens with limited availability.
How did the flash loan attack on Euler Finance happen?
eTokens (which are collateral) and dTokens (which are debt) are the two main types of tokens used by users to borrow and lend on the Euler Finance platform. When the platform contains more dTokens than eTokens, dTokens immediately cause on-chain liquidation. Euler creates tokens based on the sorts of funds customers deposit.
A liquidity problem in the eToken’s DonateToReserve function allowed for the hack. This method was burning dTokens improperly while burning eTokens correctly, which resulted in the wrong conversion of loaned assets to collateralized assets. These discrepancies were used by Euler’s hacker to give the misleading appearance that the platform had a low number of deposited eTokens and bogus debt since the dTokens had not been burnt.
On-chain data shows that as of the most recent update, the exploiter executed several transactions and stole close to $196 million. The current assault has already grown to be 2023’s largest hack.
When Euler Finance was the target of a flash loan heist, the $8.7 million in DAI stablecoin, $18.5 million in Wrapped Bitcoin (WBTC), $135.8 million in Staked Ethereum (stETH), and $33.8 million in USDC were all gone.
The following hacker addresses are now holding the stolen money:
- 0xebc29199c817dc47ba12e3f86102564d640cbf99 (Contract) – 8,877,507.34 DAI
- 0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4 – 8,080.97 ETH
- 0xb66cd966670d962c227b3eaba30a872dbfb995db – 88,752.69 ETH & 34,186,225.91 DAI
Euler Hacker Gives out Stolen ETH
The individual had contacted the hacker and asked for the return of 75 ETH, saying he had lost their whole life savings. The hacker returned the larger sum of 100 ETH rather than completing that specific request.
There is no way to confirm this allegation, thus it’s unclear whether the user lost money during the incident.
Euler Labs offers a $1M bounty
The hack ranks sixth in terms of size in DeFi’s history.
To catch the hacker who stole more than $200 million from the Euler protocol on Monday, Euler Labs is offering a $1 million reward for information.
The U.K.-based business gave the hacker an escape route despite the huge sum: restore 90% of the stolen assets by Thursday, and we’ll drop charges, it said in a note inserted inside an Ethereum transaction. The hacker has not cooperated or collaborated with the team in any way despite these demands.
The Euler protocol, which had more than $500 billion in TVL before the attack, served as a model for DeFi’s composability—the capacity to combine and match different protocols to develop top-to-bottom financial solutions.
Yet, the hack on Monday has drawn attention to the danger that increases when combining various financial software products, which is the other side of composability. The breach had an impact on at least 14 protocols and their users.
Investors don’t seem to have much confidence in the likelihood of a money recovery. According to information from CoinGecko, the price of Euler’s EUL governance token dropped further on 13th March, 2023, reaching a record low of $1.78.
Euler hacker sends funds to the crypto mixer
Just hours after a $1 million bounty was offered to identify the hacker responsible for the $196 million attack on Euler Finance, the hacker started transferring money into the cryptocurrency mixer Tornado Cash.
On March 16, the blockchain analytics company PeckShield tweeted that the perpetrator of the Ethereum noncustodial lending protocol’s flash loan assault was “on the move.”
Using the authorized cryptocurrency mixer Tornado Cash, the exploiter moved 1,000 Ether, or around $1.65 million.
51,000 stolen ether is sent back to protocol by the Hacker
According to statistics from blockchain researcher Etherscan, about 51,000 ether, or around $90 million as of March 25th, 2023, were returned to the Euler deployer contract.
Euler’s native EUL tokens were up 25% after the exploiter returned a majority of the stolen funds to the protocol.
Blockchain evidence reveals that the exploiter carried out multiple further transactions that moved tens of millions of dai stablecoins to different wallets.