Decentralized-finance (DeFi) lending protocol Euler Finance has suffered an exploit that resulted in almost $200 million being lost.
"We are aware and our team is currently working with security professionals and law enforcement," Euler Finance said in a tweet. "We will release further information as soon as we have it."
Flash loans allow DeFi users to borrow millions of dollars against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed. They are a popular way for attackers to gain funds to conduct exploits on decentralized systems. In April 2022, the Beanstalk stablecoin protocol was drained of $182 million, and in May 2022, more than $1.2 million was taken from Inverse Finance.
Euler's attackers used the loan to temporarily trick the protocol into falsely assuming it held a low amount of eToken, a collateral token issued by Euler based on whichever token is deposited on the protocol. A separate dToken, or debt token, is also issued by Euler so that an on-chain liquidation is automatically triggered when the amount of dTokens exceeds the amount of eTokens held on the platform.
The attacker took out over $30 million worth of dai stablecoin using flash loans from DeFi protocols Balancer and Aave, on-chain data shows. Some $20 million of that was sent to Euler, on which the attacker received $19.5 million worth of eDAI.
The attacker then borrowed 10 times the deposited amount from Euler, receiving 195.6 million eDAI and 200 million dDAI. The attacker repaid part of the initial debt using the remaining funds, tricking the protocol into falsely assuming it owed more to depositors than it held.
DeFi exploits – in which hackers make use of the open-source nature of a platform's code to gain unauthorized access to its assets – are one of the foremost problems plaguing the industry.
According to blockchain analytics firm Chainalysis, over $3 billion was stolen from DeFi protocols via hacks or exploits in 2022.
UPDATE (March 13, 10:10 UTC): Adds comment from Euler Finance and information on the nature of exploits and their prevalence in the DeFi industry
UPDATE (March 13, 12:15 UTC): Updates amount taken in headline, first paragraph; adds attack vector in second paragraph, attack details starting in fifth.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish, a cryptocurrency exchange, which in turn is owned by Block.one, a firm with interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets including bitcoin and EOS. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.