On March 13, Euler Finance, a decentralized finance (DeFi) lending protocol, fell victim to a flash loan attack, resulting in the largest crypto hack of 2023 so far, with a loss of almost $197 million. Over 11 other DeFi protocols were also affected by the hack.
On March 14, Euler Finance updated its users, stating that it had disabled the vulnerable etoken module to block deposits and the vulnerable donation function.
The company has been working with various security groups to perform audits on its protocol, and the vulnerable code was approved during an outside audit. However, the vulnerability was not detected during the audit.
Despite having a $1 million bug bounty in place, the vulnerability remained on-chain for eight months until it was exploited.
Euler has reached out to several leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis, and the broader ETH security community, to assist in the investigation and recover the funds.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim for $4.5 million, which was later executed with a payout of $3.3 million on March 14.
The audit group’s analysis report noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, Euler stressed that the attack was still technically possible even before EIP-14.
Euler is also attempting to contact the perpetrators responsible for the attack to learn more about the issue and possibly negotiate a bounty to recover the stolen funds.
