The incident was the biggest hack of the year to date considering the exploiter initiated numerous transactions and stole about $197 million.
Euler Finance, a non-custodial lending protocol based on Ethereum, was hit by a flash loan attack that resulted in the loss of hundreds of millions of decentralized stablecoins and synthetic ERC-20 tokens, on March 13.
The attacker managed to steal millions in Dai, USD Coin, USDC staked Ether (StETH) and wrapped Bitcoin (WBTC). According to on-chain data, the exploiter carried out multiple transactions and stole about $197 million. The attack is currently the largest hack of 2023.
The affected tokens were:
- 73.8k wstETH ($116M)
- 34.2M USDC
- 846 WBTC ($18.6M)
- 8k WETH ($12.6M)
- 8.9M DAI
- 3.8k stETH ($6M)
In addition to the significant financial loss suffered by Euler Finance due to the flash loan attack, the platform’s native token, EULER, plummeted by a staggering 52% in response to the news of the attack.
Crypto analytic firms, Meta Seluth and ZachXBT, suggest that the attack may be related to a similar attack on a BSC-based protocol one month ago. The attacker used a multichain bridge to transfer funds from BSC to Ethereum before launching the attack. Currently, the stolen funds are sitting in various hacker addresses.
Euler Finance has acknowledged the exploit and is working with security professionals and law enforcement to resolve the issue.
A blockchain security firm, Slowmist, conducted a detailed analysis of the attack and found that the exploiter used flash loans to deposit funds and trigger liquidation. The exploiter then donated the funds to the reserved address and conducted a self-liquidation to collect any remaining assets.
Two factors contributed to the success of the exploit. Firstly, the funds were donated to the reserved address without being subjected to a liquidity check, triggering soft liquidation. Secondly, the soft liquidation logic was triggered by high leverage, enabling the liquidator to obtain most of the collateral funds from the liquidated user’s account by transferring only a portion of the liabilities to themselves.
Gustavo Gonzalez, a solutions developer at the blockchain security firm OpenZeppelin, explained that the attack happened in one transaction, using flash loans from AAVE. He suggested that there appears to be a bug in one of Euler’s smart contracts that allowed the attacker to liquidate themselves from the protocol, repay the flash loan, and make a huge profit.
Euler Finance raised $32 million in a funding round last year that saw participation from FTX, Coinbase, Jump, Jane Street, and Uniswap. Euler Finance became popular for offering liquid staking derivatives (LSDs) services. Currently, LSDs make up to 20% of the total value locked in decentralized finance protocols.