Lessons Learned from Euler Finance’s $200 Million DeFi Heist
KEY TAKEAWAYS
- Major DeFi Attack: Euler Finance suffered a $200 million flash loan attack in March 2023, one of the year’s largest DeFi hacks.
- Vulnerabilities Exploited: The hack exposed smart contract vulnerabilities, enabling the attacker to profit from arbitrage.
- Complex Flash Loan: The attacker used a complex flash loan scheme without collateral, causing confusion among users.
- Security Oversight: The incident highlights the importance of regular audits and updates for DeFi protocols.
- Losses and Recovery: Euler Finance faced significant losses, but recovery efforts were partly successful.
- Security Reminder: The attack emphasizes the need for stronger security measures and caution when investing in DeFi projects.
Imagine a situation where old-school bank robbers pull off a heist, snatching $200 million worth of gold bars. That would easily go down as one of the biggest bank heists in a decade.
Well, fast forward to March 13, 2023, and something quite like this occurred. Euler Finance’s reputation took a severe hit due to a flash loan attack, earning it the unfortunate title of the biggest decentralized finance hack of 2023.
A staggering $8 million was recently siphoned from Euler Finance in a hack that left behind an enigmatic message. The attack escalated, resulting in a total loss of $200 million, shattering Euler Finance’s once-sterling reputation. Other DeFi protocols, like Angle and Balancer, were collateral damage in the chaos that ensued.
The event caused a huge 95% drop in Euler Finance’s total value locked (TVL), raising concerns about its security measures and affecting its position in the DeFi community.
A Detailed Breakdown of the Exploitation of Euler Finance’s Vulnerabilities.
Euler Finance’s vulnerabilities were almost like the hackers’ playground.
The root cause of the Euler Finance attack lay in the vulnerabilities embedded within its smart contract. A key vulnerability was identified in the “donateToReserves” function.
In addition to this, Euler Finance’s liquidation mechanism offered substantial discounts, creating lucrative arbitrage opportunities for the attackers. The attacker’s strategy involved a series of meticulously orchestrated steps, including flash loan borrowing and manipulative actions within the protocol.
In this scenario, the attacker takes advantage of flash loans, a technique where they temporarily borrow a large sum of cryptocurrency without collateral to manipulate the market.
The attacker performs several steps:
- Deposit 20 million DAI (a stablecoin) into a DeFi protocol.
- Mint 200 million eDAI (a derivative token) using the deposited DAI.
- Repay 10 million DAI, which reduces the debt.
- Mint an additional 200 million eDAI with the reduced debt.
- Donate 100 million eDAI to the reserves, seemingly for a good cause.
- Liquidate their own position for 259 million eDAI, which yields 38.9 million DAI in profit.
- Finally, the attacker closes the flash loan, ending the borrowing.
The attacker exploits the system’s mechanics, making it appear as if they’re helping by donating to the reserves but ultimately profiting from the complex financial maneuvers.
The Mysterious Attacker: The hacker with a heart?
The event must have been a real rollercoaster of emotions for a lot of people.
But imagine getting hacked then getting your assets back.
This is one case for a user where he said the hacker who, despite his relentless attacks, responded to a plea from a distraught user by sending 100 ETH.
This might be the hacker’s way of sending a message to Euler, showing they can see Euler’s on-chain messages or that the address is controlled by the attacker and is causing confusion or uncertainty in this situation.
You’d most likely have to take a whole month off to recover emotionally to experience something like this.
This act of generosity though was short-lived as the hacker continued moving the stolen funds.
The Vulnerability Oversight in Euler Finance’s Smart Contract
To understand the hack, we can examine how it exploited Euler Finance’s lending platform, which relies on overcollateralization. Users must deposit assets exceeding the amount they intend to borrow.
The hack’s brilliance lay in its use of Euler’s donate function, which allowed users to donate their collateral to the protocol without a health check. By exploiting this function, the hacker was able to donate massive sums into insolvency, opening the door to lucrative liquidation bonuses.
”Imagine being a lending protocol and not being properly audited. But What’s scary about all this is that they actually had three different companies give their smart contract an audit which should have instilled confidence.”
Losses of the Euler Finance Attack
The Euler Finance attack precipitated losses totaling nearly $200 million. This extensive amount was primarily composed of a wide array of cryptocurrencies. The attacker initiated the attack by borrowing $30 million in DAI, eventually accumulating substantial assets through the exploitation of Euler Finance’s protocol vulnerabilities.
The Aftermath
Unfortunately, a lot of people got caught up in the chaos.
News of the hack spread like wildfire, panic ensued, prompting depositors to scramble for other assets, which in turn triggered a bank run on Euler Finance.
The hacker’s attack initially appeared as a single-point failure, but it was the unchecked donate function that enabled it to wreak havoc. This seemingly harmless oversight undermined the protocol’s reputation for robustness.
“The hack happened not because they missed a bug, but because they forgot to recheck the smart contract after making updates. Those updates, as it turns out, were like leaving the front door wide open.”
The Unusual Turn of Events: Negotiations and Intrigues
The Euler team attempted to communicate with the hacker through on-chain messages, demanding a significant portion of the stolen funds and threatening a reward for information leading to his arrest. Surprisingly, the hacker returned 51,000 ETH and continued negotiations.
The situation took a strange turn when North Korea seemed to intervene, seeking secure communication with the hacker.It turns out this was not an ordinary hacker; he was the Ronin Bridge Exploiter, linked to a $600 million hack, attributed to Lazarus, a North Korean-sponsored hacking group.
Was the Euler hack another North Korean job or a diversion by the hacker? We may never know.
Meanwhile, the hacker had a change of heart and started returning the funds in a series of transactions. They set up subwallets to send the money back, and some victims even helped by sharing information about the hacker’s activities.
As a result of all these efforts, Euler Finance managed to recover a big chunk of the stolen assets. They used a clever plan to simulate repaying the debt at the time of the hack and assessing positions. Though it wasn’t a simple 1:1 refund.
DeFi Vulnerabilities and the Need for Security
DeFi platforms getting hacked seems to happen frequently, whether in the news or on social media.
And the Euler Finance flash loan attack serves as a stark reminder of the persistent risks and vulnerabilities in the DeFi ecosystem.Flash loan attacks are difficult to prevent entirely because they exploit the mechanics of decentralized finance protocols, often requiring more sophisticated safeguards and monitoring to mitigate their impact.
This incident underscores the necessity of robust audits, developer diligence, and user education to fortify DeFi protocols. It also serves as a reminder to the crypto community to place a high value on security and exercise caution when considering investments in new projects.
