Decentralized finance (DeFi) lending protocol Euler Finance became a victim of a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack and impacted more than 11 other DeFi protocols as well.
On March 14, Euler came out with an update on the situation and notified its users that they had disabled the vulnerable etoken module to block deposits and the vulnerable donation function.
The firm said that they work with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. The vulnerability was not discovered as part of the audit.
One of our auditing partners, @Omniscia_sec, prepared a technical post-mortem and analysed the attack in great detail. You can read their report here:https://t.co/u4Z2xdutwe
In short, the attacker exploited vulnerable code which allowed it to create an unbacked token debt… https://t.co/FGnPqvYUGB
— Euler Labs (@eulerfinance) March 14, 2023
The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.
In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.
Related: More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm
Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023.
Similarly, Sherlock stands behind every auditor who reviewed Euler.
Sherlock initially worked with @cmichelio to audit the first version of Euler in Dec 2021, then with @shw9453 to audit a very small update in Jan 2022, and finally with @WatchPug_ to audit EIP-14 in July 2022.
— SHERLOCK (@sherlockdefi) March 13, 2023
Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis and the broader ETH security community, in a bid to help them with the investigation and recover the funds.
Euler notified that they are also trying to contact those responsible for the attack in order to learn more about the issue and possibly negotiate a bounty to recover the stolen funds.