On March 13, the Ethereum-based non-custodial lending protocol Euler Finance encountered a flash loan attack. The attacker was successful in stealing millions in Dai (DAI), USD Coin (USDC), staked Ether (StETH), and wrapped Bitcoin (WBTC).
Based on the most recent data on the blockchain, the hacker made several transactions and stole almost $196 million. This ongoing attack is now the largest hack of 2023. The breakdown of stolen funds is as follows:
The crypto analytics firm Meta Seluth says this attack is linked to a month-ago deflation attack. The attacker employed a multichain bridge to transfer the funds from BNB Smart Chain (BSC) to Ethereum and launched the attack today.
Another on-chain sleuth, ZachXBT, reiterated the same and suggested that the movement of funds and the nature of the attack resembled those of black hats who exploited a BSC-based protocol last month. After exploiting a protocol on BSC, the funds were transferred to Tornado Cash.
Currently, the stolen funds are located in the following hacker addresses:
- 0xebc29199c817dc47ba12e3f86102564d640cbf99 (Contract) – 8,877,507.34 DAI
- 0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4 – 8,080.97 ETH
- 0xb66cd966670d962c227b3eaba30a872dbfb995db – 88,752.69 ETH & 34,186,225.91 DAI
Euler Finance has admitted that the exploit happened and is working with security experts and law enforcement to fix the problem.
We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it. https://t.co/bjm6xyYcxf
— Euler Labs (@eulerfinance) March 13, 2023
The blockchain security firm Slowmist has conducted a thorough analysis of the attack and has found that the exploiter used flash loans to deposit funds, leveraging them twice to initiate liquidation. The attacker then donated the funds to a reserved address and conducted a self-liquidation to collect any remaining assets.
The success of the exploit can be attributed to two factors. Firstly, the funds were donated to the reserved address without undergoing a liquidity check, which triggered soft liquidation. Secondly, the high leverage triggered the soft liquidation logic, allowing the liquidator to obtain most of the collateral funds from the liquidated user’s account by transferring only a portion of the liabilities to themselves.
Gustavo Gonzalez, a solutions developer at OpenZeppelin, a blockchain security firm, informed Cointelegraph that the entire process occurred in one transaction (one per pool) using flash loans from AAVE.
“There appears to be a bug in one of the Euler smart contracts, where it doesn’t check for the health factor when executing the donateToReservers() function. Because of that, the attacker was able to liquidate himself from the protocol, repay the flash loan and make a huge profit.”
Last year, big investors like FTX, Coinbase, Jump, Jane Street, and Uniswap gave Euler Finance $32 million in funding. The platform gained popularity for its liquid staking derivatives (LSDs) services, a new form of tokens that allows stakers to boost their potential returns by unlocking liquidity for staked cryptocurrencies like Ether (ETH). LSDs constitute up to 20% of the total value locked in decentralised finance protocols.
