Euler Labs is offering a $1M bounty for information that leads to the arrest of a hacker who stole more than $200M from the Euler protocol on Monday.
The hack is the sixth-largest in DeFi history. Despite the massive sum, the U.K.-based company offered the hacker an escape hatch: return 90% of the stolen funds by Thursday, and we’ll drop charges, it told the hacker via a message embedded in an Ethereum transaction.
The Euler protocol had more than $500B in TVL prior to the exploit and was a poster child for DeFi’s composability, the ability to mix and match independent protocols to create top-to-bottom financial products.
But Monday’s hack has put a spotlight on the other side of composability: the compounding risk that comes with integrating myriad financial software products. At least 14 protocols and their users were affected by the hack.
Investors seem to have little faith that the money will be recovered. The price of Euler’s EUL governance token continued to drop Wednesday, hitting an all-time low of $2.30, according to data from CoinGecko.
Euler isn’t the only company to have sought help from the authorities.
Pablo Veyrat, the co-founder of Angle Labs, the company behind a euro-pegged stablecoin, told The Defiant his company was also in contact with law enforcement.
The Angle protocol allows users to mint agEUR. Half of its TVL (over $17M) was lost in the Euler hack.
“It put us in a bad situation to have lost this amount, so we’re doing everything we can to help the Euler team to recover the funds from the hack,” he said.
In a report for the St. Louis Fed, blockchain scholar Fabian Schar likened DeFi protocols to Lego blocks.
“The shared settlement layer allows these protocols and applications to interconnect. On-chain fund protocols can make use of decentralized exchange protocols or achieve leveraged positions through lending protocols,” he wrote. “Any two or more pieces can be integrated, forked, or rehashed to create something entirely new.”
On the flip side, that integration can introduce “severe dependencies.”
“If there is an issue with one smart contract, it may potentially have wide-reaching consequences for multiple applications across the entire DeFi ecosystem,” he continues.
Mean Finance is another protocol affected by the Euler hack. It allows users to automate dollar-cost averaging, a financial strategy in which an investor buys an asset on a set schedule to smooth out price volatility. The Euler integration meant Mean Finance users could opt to earn yield as the protocol handled dollar-cost averaging on their behalf.
About $80,000, or 22% of deposits on Ethereum — and 5% of total deposits — were routed through Euler and lost in the hack, according to pseudonymous Mean Finance co-founder 0xged. The remainder of the protocol’s funds were unaffected.
0xged told The Defiant that he lost between 35% and 40% of his net worth in the hack. Although he has been building on Ethereum since 2016, his experience this week has shaken his confidence in the notion of composability.
“I’m pretty into the DeFi Lego stuff,” he said. “Mean Finance, our [dollar-cost average] primitive, also aims to be a part of that. … It’s a 100x improvement upon legacy finance. But it comes with so many risks.”
To mitigate the inherent risk, Mean Finance allowed users to choose whether to generate yield via Euler. (A similar integration with Aave is set to debut soon.) But he’s no longer certain crypto’s do-you-own-research ethos will serve an industry that hopes to replace legacy financial institutions.
“We want to have user-facing applications, to get the ‘next billion users.’ And you can’t onboard 1B users and let them choose their risk and do the due diligence there,” he said.
At the heart of the issue: DeFi protocols’ apparent outsized vulnerability to hacks and the herculean effort to limit those hacks.
“If a great team like Euler can’t maintain their security,” 0xged lamented, “what about the protocols that are bootstrapped, or that are raising [only] $1M — what can we do?”
An audit for a “small part” of Mean Finance’s code cost $75,000 — a substantial sum for a development team based in Argentina. A protocol-wide audit from a preeminent firm could have cost as much as $1M.
agEUR Redemptions Paused
Angle, the protocol that issues the agEUR euro-backed stablecoin, put its USDC and DAI reserves in Euler, Compound and Aave to generate yield. More than $17M had been deposited in Euler.
If Euler fails to recover the stolen crypto, agEUR would lose its backing, according to information Angle Labs shared on social media. The ability to mint and burn agEUR has been paused indefinitely.
Veyrat, the co-founder, said he still believes composability’s rewards are greater than its risks. Without it, DeFi would be no better than the legacy systems it seeks to replace.
“If you think of Angle, the risk of Angle became, to some extent, the risk of the Euler protocol,” he said. “I don’t think this hack is something against composability. It’s just an encouragement to build safer protocols with better risk management practices.”
Decentralization vs. Security
Some of those practices might come at the cost of crypto’s most cherished attributes, according to Tze Donn Ng, an investment associate at Tioga Capital.
“Sacrifice a bit of decentralization for security,” he told The Defiant. “Audits are not enough. You need proactive monitoring, rate limits, and circuit breakers.”
Although the hack made him question a key tenet of DeFi, 0xged said remained committed to crypto, given the technology’s utility has shone brightly in a country accustomed to financial instability.