MUFEX, the decentralized exchange (DEX) founded by industry veterans, is making waves in the DeFi space by providing a trading experience that closely resembles centralized exchanges (CEX) while leveraging the benefits of decentralization. With lightning-fast order processing and a diverse range of order types, MUFEX is rapidly emerging as the go-to platform for CEX users seeking a seamless transition to decentralized trading. MUFEX's professional yet easy-to-use interface sets it apart from other DEX platforms. It introduces innovative features such as…
A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack
On 13 March 2023 at 08:56:35 AM +UTC, DeFi lending protocol Euler Finance experienced a Flash Loan Attack.
Euler Finance is a protocol that operates as a permissionless lending protocol. Its primary goal is to facilitate lending and borrowing of various cryptocurrencies for users. The UK-based tech startup utilizes mathematical principles to develop non-custodial protocols on Ethereum and other blockchain networks, with a focus on achieving high performance.
Based on on-chain data analysis, the attacker has successfully executed multiple transactions resulting in the theft of approximately $197 million, making it the largest hack of 2023 thus far. Stolen assets include several million worth of DAI, USDC, Staked Ether (StETH), and Wrapped Bitcoin (WBTC).
The breakdown of the stolen assets are as follows:
Detailed Analysis
The attack was possible due to a lack of liquidity checks in the donateToReserves function of the Etoken. The attacker executed multiple calls with different currencies to generate profit, resulting in a massive loss of $196 million across six different tokens. Currently, the funds remain in the attacker’s account.
The attacker’s address is: https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db
The attacker’s contract address is: https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c
One of the attack transactions can be found here: https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d
1. The attacker first borrowed 30 million DAI through a flash loan from Aave and then deployed two contracts: one for lending and one for liquidation.
2. The attacker then called the deposit function and pledged 20 million DAI to the Euler Protocol contract, receiving 19.5 million eDAI in return.
3. The Euler Protocol allows users to borrow up to 10 times their deposit by calling the mint function. The attacker leveraged this capability to borrow 195.6 million eDAI and 200 million dDAI.
4. The attacker called the repay function using the remaining 10 million DAI borrowed through the flash loan to repay their debt and destroy 10 million dDAI. They then proceeded to call the mint function again to borrow 195.6 million eDAI and 200 million dDAI.
5. The attacker then called the donateToReserves function and donated 10 times the amount needed to repay their debt, sending 100 million eDAI. They then called the liquidate function to initiate the liquidation process and obtained 310 million dDAI and 250 million eDAI.
6. The attacker called the withdraw function and obtained 38.9 million DAI, which they used to repay the 30 million DAI borrowed through the flash loan. They profited 8.87 million DAI from the attack.
Core Vulnerability
First, let’s take a look at the donateToReserves function, which is where users become vulnerable to liquidation.
Comparing the donateToReserves function to the mint function in the diagram below, we can see that a key step, checkLiquidity, is missing from the donateToReserves function.
Next, we followed up and examined the implementation of checkLiquidity. We discovered the Call InternalModule function, which calls the RiskManager to check and ensure that Etoken > Dtoken for the user.
It is necessary to check the user’s liquidity each time an operation is performed by calling checkLiquidity.
However, the donateToReserves function does not execute this operation, allowing users to first put themselves in a state of liquidation through certain functions of the protocol, and then complete the liquidation.
Attack Reproduction
The Numen Cyber Lab’s team has managed to reproduce the attack.
You may find out more details on the PoC at https://github.com/numencyber/SmartContractHack_PoC/tree/main/EulerfinanceHack
Official Updates on the Attack
Euler Finance have confirmed the attack on their official Twitter (@eulerfinance) and have stated that they are currently collaborating with security professionals and law enforcement to address the issue.
Euler Finance recently provided an update on their efforts to recover funds for their protocol users. They outlined several actions they have taken since the attack, including stopping the direct attack as soon as possible by disabling the EToken module, which prevented deposits and the vulnerable donation function.
Additionally, they have engaged with various security organizations such as TRM Labs, Chainalysis, and the wider Ethereum security community to aid in the investigation and recovery of funds. Euler Finance has also shared information with law enforcement in both the US and UK.
Lastly, the company has attempted to reach out to the attackers to learn more about potential recovery options.
Conclusion
The recent attack on the Euler Finance protocol highlights the importance of implementing rigorous security measures, such as conducting thorough audits and regularly checking for vulnerabilities.
Btc
Bitcoin
$27.891
price
price
2.52298%
price change
As the decentralized finance ecosystem continues to grow, it is crucial for projects to prioritize the security of their users’ funds and adopt best practices to mitigate the risk of similar attacks in the future
Numen Cyber is a Singapore-based Web3 Security company. The organization has discovered critical vulnerabilities in some of the world’s most well-known Web3 projects, such as Aptos, Sui, EOS, Ripple and Tron. With the Numen Cyber Labs team composed of the world’s top security experts, they offer Web3 security services that can comprehensively cover all stages of a Web3 project’s lifecycle, such as security audits for smart contracts, public blockchains, wallets and exchanges. Numen also offers on-chain smart contract threat detection and response, Web3 security situational awareness, digital currency tracing and Web3 threat intelligence to protect the digital asset security of Web3 projects and users. For more information, please visit https://numencyber.com.
VIEW AUTHORMore author posts
Numen Cyber Successfully Held Its First-ever International Smart Contract Security CTF and Sensor Development Competition
Numen Cyber has successfully hosted its first-ever international Smart Contract Security CTF and Sensor Development competition. The event, which was sponsored by COCloud, Alibaba Cloud, and The Collective Solution, attracted over 400 participants from more than 200 teams worldwide, and offered a total prize pool exceeding $20,000. The competition provided participants with an excellent opportunity to showcase their innovation, creativity, and problem-solving skills in the Web3 field, while also reflecting Numen Cyber's mission to promote the development of Web3 security…
2 months ago 
178 views
A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack
On 13 March 2023 at 08:56:35 AM +UTC, DeFi lending protocol Euler Finance experienced a Flash Loan Attack. Euler Finance is a protocol that operates as a permissionless lending protocol. Its primary goal is to facilitate lending and borrowing of various cryptocurrencies for users. The UK-based tech startup utilizes mathematical principles to develop non-custodial protocols on Ethereum and other blockchain networks, with a focus on achieving high performance. Based on on-chain data analysis, the attacker has successfully executed multiple transactions resulting…
3 months ago 685 views
An Account of the Recent White Hat Attack on DeFi Protocol Tender.fi
In the latest development in the world of Decentralized Finance (DeFi), Tender.fi, a DeFi lending protocol, fell victim to a white hat attack. The alleged ethical hacker behind the attack had managed to drain a whopping $1.6 million from the platform, forcing the service to halt borrowing while it attempts to recover its assets. The attack, which took place on Mar-07-2023 at 08:21:38 AM +UTC, has caused significant concern among the DeFi community. According to Numen Cyber’s on-chain monitoring, the attacker siphoned 198…
3 months ago 441 views
Editor's picks
The Best A.I. Crypto Trading Bots
As cryptocurrency evolves, trading has become increasingly automated, with many traders now relying on artificial intelligence (AI) and machine learning (ML) to maximize their profits. These AI-powered crypto trading bots are automated software designed to analyze market data, execute trades, and optimize profits on behalf of traders. Here are some of the top AI crypto trading bots of 2023: Dash 2 Trade As the overall best AI crypto trading bot for 2023, Dash 2 Trade boasts advanced intelligence and analytics…
Crypto Adventure 
@CryptoAdventure
@CryptoAdventure
1 week ago 247 views
The Latecomer’s Guide to Cryptocurrency
If you've arrived late to the cryptocurrency party, don't worry. It's always possible to start. Here's a primer to get you up to speed with crypto. Understanding Cryptocurrency Cryptocurrency is a form of digital or virtual currency that uses cryptography for security. Unlike traditional money, cryptocurrencies are decentralized and often operate on blockchain technology, a distributed ledger enforced by a network of computers known as nodes. The first and most well-known cryptocurrency is Bitcoin, but there are now thousands, including…
Crypto Adventure
@CryptoAdventure
@CryptoAdventure
1 week ago 140 views
U.S. Crypto Tax Guide for 2023
The world of cryptocurrency is constantly changing, with innovations and new uses for digital currencies springing up every day. This innovation has left governments, including the U.S., scrambling to catch up. For example, as of 2023, the Internal Revenue Service (IRS) considers cryptocurrency property for tax purposes. This means the tax laws that apply to property transactions, like selling or exchanging property, also apply to cryptocurrencies. Cryptocurrency Basics Cryptocurrencies such as Bitcoin, Ethereum, and others are digital or virtual currencies…
Crypto Adventure
@CryptoAdventure
@CryptoAdventure
1 week ago 149 views
The Best Beginner Crypto Trading Strategies to Learn
As the cryptocurrency market continues to evolve, it offers exciting opportunities for investors and traders alike. The market's volatility might seem intimidating for beginners, but if equipped with the right strategies, one can navigate the crypto space effectively. Here are some beginner-friendly crypto trading strategies that could help you embark on your trading journey. 1. Dollar-Cost Averaging (DCA) Dollar-cost averaging (DCA) is a strategy where you invest a fixed amount of money in a particular cryptocurrency regularly, irrespective of its…
Crypto Adventure
@CryptoAdventure
@CryptoAdventure
1 week ago 115 views
Understanding Utility NFTs: A Comprehensive Guide
Before we dive into utility NFTs, let's briefly recap what NFTs are. NFTs, or Non-Fungible Tokens, are a type of digital asset created using blockchain technology. They're "non-fungible" because they are unique and can't be replaced with something else. This contrasts with fungible cryptocurrencies like Bitcoin or Ethereum, which can be exchanged like-for-like. NFTs can represent ownership or proof of authenticity for a wide range of tangible and intangible items, including artwork, collectibles, music, games, and more. What Are Utility…
Crypto Adventure
@CryptoAdventure
@CryptoAdventure
1 week ago 96 views
A Beginners Guide to Trading Cryptocurrency in 2023
Cryptocurrency has gained considerable popularity in recent years, and many individuals are now exploring the opportunities it provides. Trading cryptocurrency may seem daunting to a newcomer due to its volatility and complexity. Still, this guide will simplify the process, providing a clear roadmap to entering the exciting cryptocurrency trading world. Understanding Cryptocurrency The first step is to understand the basics of cryptocurrency. A cryptocurrency is a digital or virtual currency that uses cryptography for security. It operates independently of a…
Marius Bogdan Dinu
@bdinu89
@bdinu89
2 weeks ago 199 views
Cyfrin – Top Smart Contract Audit Company
The world of Decentralized Finance (DeFi) and blockchain technology is rapidly evolving, and with it come several security risks. As the industry matures, smart contract audits become increasingly important to ensure that projects run securely and efficiently. Cyfrin is at the forefront of this new blockchain security wave by offering developers and investors smart contract audit services. With experienced and certified professionals on staff, Cyfrin guarantees secure, reliable audits backed by industry best practices. In this article, we'll look into…
Marius Bogdan Dinu
@bdinu89
@bdinu89
4 weeks ago 809 views
How to Choose the Best Crypto Portfolio Tracker for Beginners
As a beginner in cryptocurrencies, it's essential to have access to accurate and up-to-date information to make informed decisions. A crypto tracker is a valuable tool that helps you monitor and analyze various cryptocurrencies, their prices, and other related data. This guide will walk you through choosing the best crypto tracker to suit your needs. Identify Your Requirements Before choosing a crypto tracker, it's crucial to determine your specific needs. As a beginner, you may be interested in the following:…
Block Education
@BlockEducation
@BlockEducation
1 month ago 493 views
AI GameToEarn – Rewarding Player Skill and Competitiveness with $100k Guaranteed in a New Web3 Space
The transition from Web2 to Web3 has opened the door to new possibilities. However, AI GameToEarn has identified several challenges in the current gaming sector. Through multiple features, a comprehensive tokenomics model, and a whitelist event, AI GameToEarn seeks to transform everyone's digital gaming experience. Today, we'll look at what this team intends to offer to the Web3 community. Then, we'll have time to mention the project's future milestones, NFTs, and more. Overview of AI GameToEarn Let's begin by understanding…
Crypto Adventure
@CryptoAdventure
@CryptoAdventure
1 month ago 897 views