The $197 million hack on Euler Finance has sent shockwaves through the DeFi community, raising concerns about the security of decentralized platforms. Critics argued again that this incident showcased the inherent risks associated with DeFi platforms that would not allow this technology to gain a widescale public adoption.
The Technical Details of Euler Finance Hack
When users borrow and lend on Euler Finance, the protocol creates two types of tokens: eTokens, issued against deposited collateral and dTokens, created against the debt. The two are designed to work together and trigger on-chain liquidation of positions when the platform holds more dTokens than eTokens.
According to post-mortem analysis, a non-essential function on eToken smart contract, DonateToReserve, was properly burning eTokens, but not dTokens. The hacker took advantage of this inconsistency and used 'DonateToReserve' to create a false impression of a low amount of deposited eTokens and fake debt due to the fact that the dTokens were not burned. As the ratio of the collateral assets in eTokens to the debt assets in dTokens was less than 1, this allowed the hacker to liquidate its debt position without transferring funds to the protocol.
The hacker transacted digital assets of over $300 million in both DAI and ETH pools, leveraging the initial deposit of $30 million more than ten times. The original deposit was borrowed using flash loans on Aave protocol. According to our observations flash loans are instrumental for this kind of transaction.
Euler Finance's auditing partner, cybersecurity firm Omniscia, has published a report explaining the details of the hack. They also stated that the troubled function was introduced after their review:
The donateToReserves function was audited by the Sherlock team in July 2022. Euler Finance and Sherlock have confirmed that Euler had an active coverage policy with Sherlock at the time of exploit.
The aftermath of Euler Finance Hack
In the aftermath of the attack, Euler Finance attempted to negotiate with the hacker by offering them 10% of the $200 million stolen in exchange for returning the remainder within 24 hours. This offer was not accepted, prompting Euler Finance to announce a $1 million reward for information leading to the identification of the attacker and the return of all stolen funds.
Following that, the hacker sent 100 Ether (roughly $1.8 million) to a wallet address linked to the last year's Ronin network bridge exploit. That address is marked as connected to the North Korean Notorious Hacking Group Lazarus. Observers point out that this could be a false flag transaction by the hacker to deceive investigators.
On March 18, roughly 3,000 ETH (roughly $5,4 million) were returned to Euler Finance’s deployer address from the Euler Finance hacker’s address.
Further, on March 21, cryptocurrency research firm CertiK Alert tweeted that the lending platform Euler Finance was contacted by an exploiter through on-chain messages where the exploiter expressed a desire to reach an agreement. The message reads:
We want to make this easy on all those affected. No intention of keeping what is not ours… Setting up secure communication. Let us come to an agreement.
Euler Finance responded with its own on-chain message, acknowledging the exploiter’s message and requesting a private conversation. At the time of writing, we have no more details on the case, but we continue observations and will publish the updates.