The Euler Finance hack is one of the largest DeFi attacks to date, resulting in the loss of nearly $200 million in cryptocurrency assets.
The attack highlights the risks associated with flash loan attacks, a relatively new but increasingly popular type of exploit in the DeFi ecosystem. It also highlights the need for continued innovation and improvement in security measures to protect investors and participants in the DeFi space.
In this article, we will explore the details of the Euler Finance hack, how flash loans work, and the potential methods for mitigating the risks of flash loan attacks in the future.
The Euler Finance Hack
On the morning of March 13th, 2023, Euler Finance, a decentralized lending protocol on the Ethereum blockchain, was the victim of a flash-loan attack. The attacker used the loan to take advantage of a flaw in one of Euler's smart contracts, allowing them to steal a total of $199 million worth of cryptocurrencies including USDC, Dai, Wrapped Bitcoin, and Staked Ether. The attack was one of the largest and most high-profile hacks to occur in the DeFi space.
Flash-loan attacks are a growing trend in DeFi, and have become a popular method for attackers to exploit vulnerabilities in smart contracts. The attack involves taking out a large, short-term, uncollateralized loan from a DeFi platform and using the borrowed funds to manipulate the market and other DeFi platforms to their advantage.
These types of attacks have become a major concern for DeFi projects, as they expose the potential for significant losses for both users and the platforms themselves.
How the Funds Were Stolen
The Euler Finance hack involved a flaw in one of the smart contracts used by the platform. More specifically, the DonateToReserve function of the eToken was not properly burning dTokens, which meant that the borrowed assets were being converted into collateralized assets incorrectly.
This liquidity issue created the impression that the platform had low levels of deposited eTokens and fake debt, since the dTokens were not burned. The hacker took advantage of these inconsistencies to exploit the platform and make off with a significant sum of cryptocurrency.
The hacker reportedly received initial funding from the sanctioned mixer Tornado Cash for gas fees and creating the contracts used in the exploit. They then initiated a flash loan to borrow around $30 million in DAI from the DeFi protocol Aave. The hacker deposited $20 million of that DAI into Euler’s platform, receiving a similar amount in eDAI tokens.
By leveraging Euler’s borrowing capabilities, the hacker was able to borrow 10 times the original deposited amount. The hacker then used the remaining $10 million in DAI from the original loan to repay part of the acquired debt (dDAI) and reused the mint function to borrow again until the flash loan was closed.
The Aftermath of the Attack
In the aftermath of the attack, Euler Finance issued a statement acknowledging the exploit and stating that they were working with security professionals and law enforcement to resolve the issue. The statement urged users not to interact with Euler Finance until further notice. The company also stated that it would provide updates on the situation as they become available.
Several weeks after the attack, the hacker returned the stolen funds and apologized through a series of encrypted messages. The hacker, who identified as Jacob, began by sending 54,000 in ETH (3,000 on March 18 and 51,000 on March 25) to Euler and followed with 7,000 ETH and $10 million in DAI several days later. Jacob also sent ETH and DAI from several addresses that were funded directly by Jacob. The hacker expressed intentions to eventually return all of the funds, which were fulfilled.
The dialogue between Euler and the hacker was a fascinating aspect of the aftermath of the attack. Euler sent on-chain messages to the Ethereum account holding the stolen assets, warning the hacker that the US government had sanctioned Tornado Cash, the decentralized mixer being used to launder the stolen funds.
The hacker responded with messages expressing a desire to return the funds and sent the first portion of the returned funds shortly thereafter. In subsequent messages, the hacker indicated a growing sense of guilt and remorse, and thanked Euler for not going to the authorities. Euler replied that it would not report the hack if the funds were returned in full.
How to Reduce the Risks of Flash Loan Attacks
While it can be difficult to completely eliminate the risks of flash loan attacks, there are several measures that can be taken to reduce the chances of such attacks. One such measure is to employ the use of circuit breakers. Circuit breakers are software mechanisms that temporarily halt protocols when there are unusually large price movements or outflows. This can help to prevent or limit the impact of flash loan attacks.
Another measure that can be taken is to improve smart contract security. This can be done by regularly auditing smart contracts and ensuring that there are no vulnerabilities that can be exploited.
Additionally, decentralized finance protocols can also work together to share information about vulnerabilities and attack patterns to better protect their platforms and users. As the decentralized finance ecosystem continues to grow and mature, it is likely that more sophisticated security measures will be developed to combat flash loan attacks and other types of exploits.
While flash loan attacks are relatively new, they are becoming more frequent and sophisticated. The Euler Finance hack serves as a reminder that no DeFi platform is immune to attack and that continued efforts are necessary to reduce the risks associated with these types of exploits. By implementing measures such as circuit breakers and improved auditing processes, DeFi protocols can better protect their users and assets. As the DeFi space continues to evolve, the security of these protocols will become even more critical to the success and longevity of the ecosystem.
You May Also Enjoy: The Wintermute Hack Explained