Decentralized finance (DeFi) lending system Euler Finance was subjected to a Flash Loan Attack on March 13, 2023, at 08:56:35 AM +UTC. The attacker was successful in stealing millions of dollars in Dai (DAI), Dollar Coin (USDC), staked Ether (StETH), and wrapped Bitcoin (WBTC). This was the most severe flash loan attack of 2023 thus far.
Euler Finance is a protocol that allows for permissionless lending. Its major purpose is to make cryptocurrency lending and borrowing easier for customers. The UK-based technology business employs mathematical concepts to create non-custodial protocols on Cryptocurrency and other blockchain networks, with the goal of improving efficiency.
According to the most recent on-chain statistics, the exploiter carried out several transactions, taking over $197 million and affecting more than 11 different DeFi protocols. The attacker transferred money from the BNB Smart Chain (BSC) to Ethereum using a multichain bridge. The breakdown of the stolen funds is as follows:
On March 14, Euler issued an update on the matter through Twitter, informing users that the susceptible etoken module had been deactivated to prevent deposits and the vulnerable donation feature had been removed. They have also enlisted the assistance of TRM Labs, Chainalysis, and the larger ETH security community in the investigation and recovery efforts.
According to the company, they cooperate with multiple security groups to do protocol audits, and the susceptible code was examined and authorised during an outside audit. The vulnerability was not found during the audit. But, one of their auditors, Omniscia performed a technical post-mortem and thoroughly investigated the attack.
The attack was achievable because of a lack of liquidity checks in Etoken’s donateToReserves function, which was implemented in EIP-14. The protocol, however, emphasised that the attack was theoretically conceivable even before EIP-14.
Sherlock, an audit firm that has previously worked with Euler Finance, confirmed the fundamental cause of the attack and assisted Euler in filing a claim. The audit process then voted on the $4.5 million claim, which was approved, and later executed a $3.3 million settlement on March 14.
The attacker’s identity has been revealed. Euler also stated that they are attempting to contact the attackers of the incident in order to learn more about the situation and maybe arrange a compensation to recover the stolen funds.
The latest attack on the Euler Finance protocol emphasises the significance of deploying strict security measures, such as rigorous audits and frequent vulnerability checks. In recent years, flash loans have become increasingly common in the field of decentralised finance (DeFi). As the decentralised financial ecosystem expands, it is critical for projects to prioritise the security of their users’ money and implement best practises to reduce the risk of future attacks.