To be specific, the attacker managed to steal millions in Dai, staked Ether, USD Coin, and wrapped Bitcoin. Blockchain security firm SlowMist performed a detailed analysis of the attack and concluded that the hacker used flash loans to deposit funds before leveraging them twice to trigger liquidation. Afterwards, he donated the funds to a reserved address and conducted a self-liquidation to collect any remaining assets.
The exploit was successful for two main reasons. First of all, the funds were donated to the reserved address without being subjected to a liquidity check, triggering soft liquidation. Furthermore, when the soft liquidation logic was triggered by high leverage, the yield value increased, which allowed the liquidator to obtain most of the collateral funds from the liquidated user's account by transferring only a portion of the liabilities to themselves.
The value of the collateral funds exceeded the value of the liabilities, which allowed the liquidator to successfully pass their health factor check and withdraw the obtained funds.
Representatives from blockchain security firm OpenZeppelin cited by cointelegraph.com pointed towards a bug in one of the Euler smart contracts, where it doesn’t check for the health factor when executing the donateToReservers() function. The same source explained that the attacker exploited the bug in order to liquidate himself from the protocol, repay the flash loan and make a very large profit.
According to Cointelegraph, Euler Finance has been working with various security groups to perform audits of its protocol. The vulnerable code that made the hack possible was reviewed and approved during an outside audit, and the vulnerability was not discovered as part of the audit.
In the wake of the attack, Euler Finance issued an update and informed its users that they have stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function. They also tapped TRM Labs, Chainalysis, and the broader ETH security community to help with the investigation and work to recover funds. US and UK law enforcement agencies were informed of the event, but the company also reached out to the attackers in order to discuss options.
As far as contagion goes, the flash loan attack against Euler resulted in frozen or lost funds for 11 different decentralised finance (DeFi) protocols. Balancer, an Ethereum protocol with over USD 1 billion total value locked (TVL), is among the affected protocols.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now