Euler DeFi Protocol Exploited for Nearly $200M

Decentralized-finance (DeFi) lending protocol Euler Finance has suffered an exploit that resulted in almost $200 million being lost.

The losses occurred over four transactions in dai (DAI), wrapped bitcoin (WBTC), staked ether (sETH) and USDC, according to smart contract auditor BlockSec. The attacker used a flash loan to conduct the attack.

"We are aware and our team is currently working with security professionals and law enforcement," Euler Finance said in a tweet. "We will release further information as soon as we have it."

Flash loans allow DeFi users to borrow millions of dollars against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed. They are a popular way for attackers to gain funds to conduct exploits on decentralized systems. In April 2022, the Beanstalk stablecoin protocol was drained of $182 million, and in May 2022, more than $1.2 million was taken from Inverse Finance.

Euler's attackers used the loan to temporarily trick the protocol into falsely assuming it held a low amount of eToken, a collateral token issued by Euler based on whichever token is deposited on the protocol. A separate dToken, or debt token, is also issued by Euler so that an on-chain liquidation is automatically triggered when the amount of dTokens exceeds the amount of eTokens held on the platform.

The attacker took out over $30 million worth of dai stablecoin using flash loans from DeFi protocols Balancer and Aave, on-chain data shows. Some $20 million of that was sent to Euler, on which the attacker received $19.5 million worth of eDAI.

The attacker then borrowed 10 times the deposited amount from Euler, receiving 195.6 million eDAI and 200 million dDAI. The attacker repaid part of the initial debt using the remaining funds, tricking the protocol into falsely assuming it owed more to depositors than it held.

DeFi exploits – in which hackers make use of the open-source nature of a platform's code to gain unauthorized access to its assets – are one of the foremost problems plaguing the industry.

According to blockchain analytics firm Chainalysis, over $3 billion was stolen from DeFi protocols via hacks or exploits in 2022.

UPDATE (March 13, 10:10 UTC): Adds comment from Euler Finance and information on the nature of exploits and their prevalence in the DeFi industry

UPDATE (March 13, 12:15 UTC): Updates amount taken in headline, first paragraph; adds attack vector in second paragraph, attack details starting in fifth.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Jamie Crawley

Jamie Crawley is a CoinDesk news reporter based in London.

Follow @JamieCrawleyCD on Twitter

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Follow @shauryamalwa on Twitter

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.