DeFi Lender Euler Suffers $200M Exploit

Code Bug Enabled Flash Loan Attack

DeFi Lender Euler Suffers $200M Exploit

Euler, a lending protocol that held over $400M of user assets as of yesterday, has been exploited for nearly $200M in what may be the biggest DeFi exploit of 2023.

The attacker managed to steal nearly $136M of Lido Finance’s stETH, $34M of USDC, $18.5M of WBTC and $8.8M in DAI.

The protocol’s EUL governance token lost over half its value in the wake of the attack.

EUL Price. Source: Coingecko

The Euler team has confirmed that it is working with TRM Labs, Chainalysis and the broader Ethereum security community to track and attempt to recover the stolen funds. UK and US law enforcement has also been notified.

Euler’s total value locked (TVL) currently stands at just over $10M.

Euler TVL. Source: Defi Llama

Vulnerable Function

The exploit stemmed from a vulnerability in a smart contract function called ‘donateToReserve’ that was added as part of a major overhaul eight months ago and allows users to donate small balances to the protocol’s reserve.

Source: Euler GitHub

Euler uses two types of tokens to track user balances. eTokens represent collateral assets, while dTokens represent users’ debts. 

Leveraged positions are liquidated when a user’s dToken balance exceeds their eToken balance, and liquidators are incentivized to do so through a discount offered by the protocol to ensure smooth operation.

As per a post-mortem from Omniscia, one of Euler’s auditors, the core issue is that the donate function does not include a ‘health check’ to ensure that the user remains adequately collateralized post-donation. 

As a result, the attacker was able to create an underwater position and liquidate themselves using another malicious contract created for that purpose.

Security firm Peckshield illustrated the attack using Euler’s DAI market, which was exploited for $8.8M, as an example.

DAI Market Exploit. Source: Peckshield

The conversion rate refers to the liquidation discount, which was set to the maximum of 25% in this case due to the extremely low collateralization of the account post-donation.

The attacker repeated the same process to drain the stETH, WBTC and USDC markets, netting a total of $197M.

On-chain analyst ZachXBT noted that the same address had previously attacked a DeFI protocol on BNB Smart Chain for $346,000 and used privacy mixer Tornado Cash to launder those funds.

Flash Loans

A flash loan is a DeFi feature that allows users to borrow large amounts of money without posting any collateral. However, the loan must be repaid within the same Ethereum block.

Flash loan attacks are, unfortunately, all too common in DeFi. In October 2021, another money market, Cream Finance, suffered a $130M flash loan exploit.

Malicious actors drained $3.2 billion from DeFi platforms last year through a variety of attacks.

DeFi Fallout

Euler is widely integrated with the broader DeFi ecosystem due to a combination of being well-regarded and offering liquidity incentives, and the exploit has affected many protocols that either deposited funds in Euler or had indirect exposure.

Decentralized exchange Balancer said that its emergency subDAO has paused all liquidity pools containing Euler-boosted USD (bbeUSD), and put bbeUSD in recovery mode.

The Balancer team says there is no further risk of loss. It added that bbeUSD LPs will be able to exit their positions once further clarity is obtained from the Euler team.

Angle Protocol, the issuer of the euro-pegged agEUR stablecoin, said that it was exposed to the tune of $17.6M worth of USDC and has released a post-mortem.

The smart contract in question was audited by Sherlock, which has approved a payout of $4.5M from its insurance fund.