Euler Finance falls victim to a flash loan attack

Tuesday 14 March 2023 10:54 CET | News

A hacker has exploited a bug in one of Euler Finance’s smart contracts and performed a flash loan attack that drained more than USD 196 million.


To be specific, the attacker managed to steal millions in Dai, staked Ether, USD Coin, and wrapped Bitcoin. Blockchain security firm SlowMist performed a detailed analysis of the attack and concluded that the hacker used flash loans to deposit funds before leveraging them twice to trigger liquidation. Afterwards, he donated the funds to a reserved address and conducted a self-liquidation to collect any remaining assets. 

The exploit was successful for two main reasons. First of all, the funds were donated to the reserved address without being subjected to a liquidity check, triggering soft liquidation. Furthermore, when the soft liquidation logic was triggered by high leverage, the yield value increased, which allowed the liquidator to obtain most of the collateral funds from the liquidated user's account by transferring only a portion of the liabilities to themselves. 

The value of the collateral funds exceeded the value of the liabilities, which allowed the liquidator to successfully pass their health factor check and withdraw the obtained funds. 

Representatives from blockchain security firm OpenZeppelin cited by pointed towards a bug in one of the Euler smart contracts, where it doesn’t check for the health factor when executing the donateToReservers() function. The same source explained that the attacker exploited the bug in order to liquidate himself from the protocol, repay the flash loan and make a very large profit.


A hacker has exploited a bug in one of Euler Finance’s smart contracts and performed a flash loan attack that drained more than USD 196 million.


Contagion and fund recovery efforts

According to Cointelegraph, Euler Finance has been working with various security groups to perform audits of its protocol. The vulnerable code that made the hack possible was reviewed and approved during an outside audit, and the vulnerability was not discovered as part of the audit.  

In the wake of the attack, Euler Finance issued an update and informed its users that they have stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function. They also tapped TRM Labs, Chainalysis, and the broader ETH security community to help with the investigation and work to recover funds. US and UK law enforcement agencies were informed of the event, but the company also reached out to the attackers in order to discuss options. 

As far as contagion goes, the flash loan attack against Euler resulted in frozen or lost funds for 11 different decentralised finance (DeFi) protocols. Balancer, an Ethereum protocol with over USD 1 billion total value locked (TVL), is among the affected protocols.

More: Link

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: cybercrime, hacking, cryptocurrency, lending
Categories: Fraud & Financial Crime
Companies: Euler Finance
Countries: United Kingdom
This article is part of category

Fraud & Financial Crime

Euler Finance

Discover all the Company news on Euler Finance and other articles related to Euler Finance in The Paypers News, Reports, and insights on the payments and fintech industry: