A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack

A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack

Content provided by various contributors. DYOR.

On 13 March 2023 at 08:56:35 AM +UTC, DeFi lending protocol Euler Finance experienced a Flash Loan Attack.

Euler Finance is a protocol that operates as a permissionless lending protocol. Its primary goal is to facilitate lending and borrowing of various cryptocurrencies for users. The UK-based tech startup utilizes mathematical principles to develop non-custodial protocols on Ethereum and other blockchain networks, with a focus on achieving high performance.

Based on on-chain data analysis, the attacker has successfully executed multiple transactions resulting in the theft of approximately $197 million, making it the largest hack of 2023 thus far. Stolen assets include several million worth of DAI, USDC, Staked Ether (StETH), and Wrapped Bitcoin (WBTC).

The breakdown of the stolen assets are as follows:

The attack was possible due to a lack of liquidity checks in the donateToReserves function of the Etoken. The attacker executed multiple calls with different currencies to generate profit, resulting in a massive loss of $196 million across six different tokens. Currently, the funds remain in the attacker’s account.

The attacker’s address is: https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db

The attacker’s contract address is: https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c

One of the attack transactions can be found here: https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d

1. The attacker first borrowed 30 million DAI through a flash loan from Aave and then deployed two contracts: one for lending and one for liquidation.

2. The attacker then called the deposit function and pledged 20 million DAI to the Euler Protocol contract, receiving 19.5 million eDAI in return.

3. The Euler Protocol allows users to borrow up to 10 times their deposit by calling the mint function. The attacker leveraged this capability to borrow 195.6 million eDAI and 200 million dDAI.

4. The attacker called the repay function using the remaining 10 million DAI borrowed through the flash loan to repay their debt and destroy 10 million dDAI. They then proceeded to call the mint function again to borrow 195.6 million eDAI and 200 million dDAI.

5. The attacker then called the donateToReserves function and donated 10 times the amount needed to repay their debt, sending 100 million eDAI. They then called the liquidate function to initiate the liquidation process and obtained 310 million dDAI and 250 million eDAI.

6. The attacker called the withdraw function and obtained 38.9 million DAI, which they used to repay the 30 million DAI borrowed through the flash loan. They profited 8.87 million DAI from the attack.

First, let’s take a look at the donateToReserves function, which is where users become vulnerable to liquidation.

Comparing the donateToReserves function to the mint function in the diagram below, we can see that a key step, checkLiquidity, is missing from the donateToReserves function.

Next, we followed up and examined the implementation of checkLiquidity. We discovered the Call InternalModule function, which calls the RiskManager to check and ensure that Etoken > Dtoken for the user.

It is necessary to check the user’s liquidity each time an operation is performed by calling checkLiquidity.

However, the donateToReserves function does not execute this operation, allowing users to first put themselves in a state of liquidation through certain functions of the protocol, and then complete the liquidation.

The Numen Cyber Lab’s team has managed to reproduce the attack.

You may find out more details on the PoC at https://github.com/numencyber/SmartContractHack_PoC/tree/main/EulerfinanceHack

Euler Finance have confirmed the attack on their official Twitter (@eulerfinance) and have stated that they are currently collaborating with security professionals and law enforcement to address the issue.

Euler Finance recently provided an update on their efforts to recover funds for their protocol users. They outlined several actions they have taken since the attack, including stopping the direct attack as soon as possible by disabling the EToken module, which prevented deposits and the vulnerable donation function.

Additionally, they have engaged with various security organizations such as TRM Labs, Chainalysis, and the wider Ethereum security community to aid in the investigation and recovery of funds. Euler Finance has also shared information with law enforcement in both the US and UK.

Lastly, the company has attempted to reach out to the attackers to learn more about potential recovery options.

The recent attack on the Euler Finance protocol highlights the importance of implementing rigorous security measures, such as conducting thorough audits and regularly checking for vulnerabilities.

Bitcoin live price
Btc
Bitcoin
$27.941
price
0.89264%
price change
TRADE NOW

As the decentralized finance ecosystem continues to grow, it is crucial for projects to prioritize the security of their users’ funds and adopt best practices to mitigate the risk of similar attacks in the future

Read more from author

Editor's picks

ArtHouse Spirits DAO – Tokenized Alcohol Combined with Real Crypto Benefits

The crypto space is the ideal nurturing environment for like-minded individuals to form communities and enjoy shared interests and activities. One such club is ArtHouse Spirits DAO (AHSD), an exclusive association of high-net-worth people who appreciate pricey, aged rums and unique, real asset-backed NFT collectibles. AHSD was born to reward rum connoisseurs with a digital club in the emerging web3 world. Here, they can enjoy rare benefits, physical perks, VIP events, and voting rights within the decentralized autonomous organization. Furthermore,…

ArtHouse Spirits DAO – A Project Combining Tokenized Rum with Real Benefits

We live in an era of unprecedented technological advancement, with the potential to combine traditional industries with new digital technologies. ArtHouse Spirits DAO is a project combining tokenized rum with real benefits while leveraging the Dictador brand and artistic collaborations. By appealing to an élite group of high-net-worth individuals, this project aims to create a luxurious community. Here, members can benefit from exclusive events, investments, and more. Today's article will explore the project’s potential and its team's roadmap, giving you…

A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack

On 13 March 2023 at 08:56:35 AM +UTC, DeFi lending protocol Euler Finance experienced a Flash Loan Attack. Euler Finance is a protocol that operates as a permissionless lending protocol. Its primary goal is to facilitate lending and borrowing of various cryptocurrencies for users. The UK-based tech startup utilizes mathematical principles to develop non-custodial protocols on Ethereum and other blockchain networks, with a focus on achieving high performance. Based on on-chain data analysis, the attacker has successfully executed multiple transactions resulting…

DevourGO Establishes Devour DPAY as the Payment and Rewards Token for the Restaurant Industry

The global economy is steadily transitioning from Web2 to Web3, and the restaurant industry is no exception. In this context, DevourGO has established Devour DPAY as this sector's payment and rewards token. The strategy offers restaurants a way to connect with Web3 communities while giving their guests real-world recognition for their affiliations. The project has three core utility pillars - crypto payments, DPAYBack rewards, and NFTs. In this way, DevourGO's ecosystem creates a win-win relationship between restaurants and their customers.…

BingX – A Crypto Exchange with Enhanced Copy Trading Features and More

As the number of traders in the crypto industry grows, different people look for different products to suit their needs. One of the most popular names in the cryptocurrency industry is BingX. It's a popular crypto exchange that offers spot, contract, copy, and grid trading to millions of customers in over 100 countries. Today's review will examine BingX and its features, focusing on copy trading and other essential platform aspects. What Is BingX? BingX is a leading crypto exchange that…

An Account of the Recent White Hat Attack on DeFi Protocol Tender.fi

In the latest development in the world of Decentralized Finance (DeFi), Tender.fi, a DeFi lending protocol, fell victim to a white hat attack. The alleged ethical hacker behind the attack had managed to drain a whopping $1.6 million from the platform, forcing the service to halt borrowing while it attempts to recover its assets. The attack, which took place on Mar-07-2023 at 08:21:38 AM +UTC, has caused significant concern among the DeFi community. According to Numen Cyber’s on-chain monitoring, the attacker siphoned 198…

Is Polkadot a Good Investment in 2023?

Since the inception of cryptocurrency, the bull run and the bear market have had significant impacts. In fact, because of the volatile nature of cryptocurrency, these are two sides of the coin every crypto investor anticipates when investing in the market. While investors look forward to the bull run, the bear market, also known as "crypto winter," is the dread of any investor.  As of 2022, a report by CNBC stated that cryptocurrencies suffered a considerable decline, losing about $2…

Clinton and Epstein’s Flight Log Now An NFT Collection by ViceHub

Crypto enthusiasts have found a new way to immortalize history with the launch of 'Lolita Adventures.' This NFT collection is based on former US President Bill Clinton and late financier Jeffrey Epstein's flight log. ViceHub, an Ethereum and Solana-based NFT project, has created this collection combining satire and journalism to tokenize a piece of history. The Idea Behind this New NFT Collection The crypto space is witnessing yet another project working to change the NFT narrative. Through Lolita Adventures, this…

What Are Crypto Copycat Projects?

Crypto copycat projects are cryptocurrencies designed to imitate the functionality and success of existing cryptocurrencies. These projects typically try to capitalize on the popularity of established cryptocurrencies, such as Bitcoin, Ethereum, or Binance Coin, by offering similar features, branding, or even a name close to the original currency. The aim of copycat crypto projects is often to ride the coattails of the original cryptocurrency's success and make a profit by selling tokens or coins to investors who are attracted to…