Cointime

Download App
iOS & Android

$197 Million Stolen: Euler Finance Flash Loan Attack Explained [UPDATED 3/17/23]

Validated Project

New updates, 3/17/23: Possible North Korean involvement

Early in the morning of March 17, 2023, 100 ETH stolen in the Euler Finance hack moved to an address that previously received funds stolen in the Axie Infinity Ronin Bridge hack, which was carried out by the North Korean hacking syndicate Lazarus Group.

This could also mean that the Euler Finance hack was also carried out by Lazarus Group. However, we can’t yet know for sure — it’s possible that this movement of funds was an attempt at misdirection by another hacking group. We will continue to monitor the situation and provide updates as possible.

Original post: Analysis of Euler Finance flash loan attack

On March 13, 2023, Euler Finance, a permissionless borrowing and lending protocol on Ethereum, was the victim of a flash loan attack. Euler Finance isn’t the first DeFi hack victim this year — dForce and Platypus were similarly targeted in February — but it is unfortunately the largest. At a whopping near-$200 million loss, hackers stole funds in USDC, wrapped Bitcoin (wBTC), staked Ether (stETH), and DAI, an algorithmic stablecoin maintained by MakerDAO. A hack of this magnitude illustrates both the ongoing threats to widely used DeFi protocols and the potential hacking abuses opened up by flash loans.

In this blog, we’ll explore how flash loans work, how hackers stole funds from Euler Finance, and how the effects of flash loan attacks may be mitigated in the future.

What is a flash loan?

Before analyzing the details of the Euler hack, it is important to understand how flash loans typically work. Flash loans are executed by smart contracts and enable participants to quickly borrow funds without the need for collateral. However, these loans must be repaid in full within the same transaction, or else the entire transaction, including the loan itself, will be reversed. Flash loans are attractive for DeFi traders looking to maximize arbitrage opportunities. They are also commonly used for swapping collateral and self-liquidation.

Although there are several legitimate uses of flash loans, hackers can also use them to manipulate DeFi protocols’ pricing oracles. They do this by taking advantage of the lack of collateralization to borrow huge amounts of funds, which they can then use to manipulate token prices, typically by buying or short selling high volumes of tokens with thin supply levels.

How the Euler Finance flash loan attack occurred

When users borrow and lend using the Euler Finance platform, they primarily transact with two types of tokens: eTokens (which represent collateral) and dTokens (which represent debt). Euler issues eTokens based on the types of funds deposited by users; dTokens automatically trigger on-chain liquidation when the platform holds more dTokens than eTokens.

The hack was made possible by a liquidity issue in the DonateToReserve function of the eToken. This function was properly burning eTokens, but not dTokens, leading to an incorrect conversion of borrowed assets to collateralized assets. Euler’s hacker took advantage of these inconsistencies to create a false impression that the platform had a low amount of deposited eTokens and fake debt due to the fact that the dTokens were not burned.

We currently have reason to believe that there were two primary on-chain entities involved in the hack: a front-running MEV bot (using the wallet 0x5F259D0b76665c337c6104145894F4D1D2758B8c) and the hacker’s primary personal wallet (using the wallet 0xb66cd966670d962C227B3EABA30a872DbFb995db). The hacker hardcoded their lending contract so that the personal wallet received most of the funds, regardless of which entity executed which transactions.

The hacker received initial funding from the sanctioned mixer Tornado Cash for gas fees and to create the contracts used in the exploit, then initiated a flash loan to borrow around $30 million in DAI from the DeFi protocol Aave. After this, the hacker deposited $20 million of that DAI into Euler’s platform, receiving a similar amount in eDAI tokens. By leveraging Euler’s borrowing capabilities, the hacker was able to borrow 10 times the original deposited amount. The hacker then used the remaining $10 million in DAI from the original loan to repay part of the acquired debt (dDAI) and reused the mint function to borrow again until the flash loan was closed. After the hack was complete, the hacker moved some of the funds back to Tornado Cash. Investigators would need to employ advanced investigative techniques like those Chainalysis offers to pursue the funds further.

We can see some of these steps in the Chainalysis Storyline graph below:

Open in new tab to enlarge

Overall, Euler lost roughly $197 million worth of cryptocurrency, spread across DAI, wBTC, stETH, and USDC. Additionally, Euler’s native token, EUL, declined more than 45%.

Reducing hacking risks

Although it can be difficult to identify DeFi platform vulnerabilities, there may be several methods to mitigate risk of flash loan attacks to protect cryptocurrency participants from similar catastrophic events. For instance, circuit breakers could be used to temporarily halt protocols when there are unusually large price movements or outflows so that hacks can be stopped early. We will continue to monitor the Euler hack situation and provide updates as possible.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.

Read more: https://blog.chainalysis.com/reports/euler-finance-flash-loan-attack/

Comments

All Comments

Recommended for you

  • APRO Oracle has successfully completed $3M seed round of financing

    With strong support from renowned VCs like Polychain Capital, Franklin Templeton, ABCDE Capital, CMS Holdings, Comma3 Ventures, UTXO Ventures, Oak Grove Ventures, Presto Labs, and others,APRO Oracle has successfully completed $3M seed round of financing and driving innovation in the Bitcoin ecosystem.

  • Web3 game studio Dragonz Lab announces $9 million in funding

    According to Chainwire, Dragonz Lab, a Web3 game studio from the UK, announced today that it has received a round of $9 million in funding, led by Syndicate Capital Limited Partnership Fund (LPF). LPF is a venture capital fund focused on Web3, blockchain, and artificial intelligence investments. This strategic equity investment aims to promote the development of Dragonz Land, a practical Play-2-Earn game.

  • India Delays Release of Crypto Policy Discussion Paper Due to Other Priorities

    India has not yet released a discussion paper on cryptocurrencies, which was originally planned for publication in September. The delay is due to officials prioritizing other matters, such as this month's World Bank meetings, over stakeholder consultations. Two anonymous sources have confirmed that the document is still intended for publication, but no timeline has been set. The paper was expected to outline India's policy stance on cryptocurrencies after consultations with the central bank and markets regulator.

  • Uniswap’s market share in DEX has dropped to 36%

    The DEX landscape is undergoing changes, with the market share of the veteran decentralized exchange Uniswap dropping from over 50% in October 2023 to the current 36%.

  • Exowatt completes $20 million financing, a16z participates in the investment

    Startup company Exowatt announced that it is addressing the energy needs of data centers through its ceramic battery technology. The company claims that its technology can store solar energy for months, helping to cope with the rapid growth of power consumption in data centers. The company has received $20 million in seed funding, with investors including a16z and Altman. According to reports, Exowatt has accumulated 1.2 gigawatts of orders, mainly focused on data centers and cryptocurrency mining projects in the United States.

  • Singapore police investigate Worldcoin account transactions, arrest five people

    On September 10th, Singapore's Deputy Prime Minister Heng Swee Keat announced that Singaporean police are investigating seven individuals suspected of providing Worldcoin account and token trading services. This investigation involves possible violations of the Payment Services Act of 2019, and the police have arrested five people.

  • Putin: Russia "supports" Harris, calls her smile "contagious"

    According to foreign media such as TASS and Russia's Sputnik News, Jinse Finance reported that on the afternoon of September 5th local time, Russian President Putin said at the plenary session of the Eastern Economic Forum 2024 that Russia will "support" the US Democratic Party presidential candidate and vice president Harris as recommended by the US President Biden in the upcoming US presidential election. When asked how he viewed the 2024 US election, Putin said it was the choice of the American people. The new US president will be elected by the American people, and Russia will respect the choice of the American people. Putin also said that just as Biden suggested his supporters to support Harris, "we will do the same, we will support her." The report said that Putin also joked that Harris' laughter is "expressive and infectious," which shows that "she is doing everything well." He added that this may mean that she will avoid further sanctions against Russia.

  • An ETH whale repurchased 5,153 ETH with 12.23 million USDT 20 minutes ago

    A certain high-frequency trading ETH whale monitored by on-chain analyst Yu Jin bought 5,153 ETH with 12.23 million USDT 20 minutes ago.

  • CFTC: Uniswap Labs has actively cooperated with the investigation and only needs to pay a fine of US$175,000

    The CFTC has filed a lawsuit against Uniswap Labs and reached a settlement. It was found that Uniswap Labs illegally provided leveraged or margined retail commodity transactions of digital assets through a decentralized digital asset trading protocol. Uniswap Labs was required to pay a civil penalty of $175,000 and cease violations of the Commodity Exchange Act (CEA). The CFTC acknowledged that Uniswap Labs actively cooperated with law enforcement agencies in the investigation and reduced the civil penalty.

  • DeFi TVL exceeds $95 billion again

    According to defillama data, as of May 18, 2024, the total value locked (TVL) in DeFi has once again surpassed $95 billion. It is currently reported at $95.069 billion, an increase of nearly $12 billion from the low point of $83.04 billion 35 days ago. Among the top five protocols in terms of TVL, Eigenlayer has the highest 30-day increase, with TVL rising by 19.67% to a total of $15.455 billion.