Cointime

Cointime

Download App
iOS & Android

A Detailed Analysis of Euler Finance’s $197 Million Flash Loan Attack

Validated Project

On 13 March 2023 at 08:56:35 AM +UTC, DeFi lending protocol Euler Finance experienced a Flash Loan Attack.

Euler Finance is a protocol that operates as a permissionless lending protocol. Its primary goal is to facilitate lending and borrowing of various cryptocurrencies for users. The UK-based tech startup utilizes mathematical principles to develop non-custodial protocols on Ethereum and other blockchain networks, with a focus on achieving high performance.

Based on on-chain data analysis, the attacker has successfully executed multiple transactions resulting in the theft of approximately $197 million, making it the largest hack of 2023 thus far. Stolen assets include several million worth of DAI, USDC, Staked Ether (StETH), and Wrapped Bitcoin (WBTC).

The breakdown of the stolen assets are as follows:

Detailed Analysis

The attack was possible due to a lack of liquidity checks in the donateToReserves function of the Etoken. The attacker executed multiple calls with different currencies to generate profit, resulting in a massive loss of $196 million across six different tokens. Currently, the funds remain in the attacker’s account.

The attacker’s address is: https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db

The attacker’s contract address is: https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c

One of the attack transactions can be found here: https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d

1. The attacker first borrowed 30 million DAI through a flash loan from Aave and then deployed two contracts: one for lending and one for liquidation.

2. The attacker then called the deposit function and pledged 20 million DAI to the Euler Protocol contract, receiving 19.5 million eDAI in return.

3. The Euler Protocol allows users to borrow up to 10 times their deposit by calling the mint function. The attacker leveraged this capability to borrow 195.6 million eDAI and 200 million dDAI.

4. The attacker called the repay function using the remaining 10 million DAI borrowed through the flash loan to repay their debt and destroy 10 million dDAI. They then proceeded to call the mint function again to borrow 195.6 million eDAI and 200 million dDAI.

5. The attacker then called the donateToReserves function and donated 10 times the amount needed to repay their debt, sending 100 million eDAI. They then called the liquidate function to initiate the liquidation process and obtained 310 million dDAI and 250 million eDAI.

6. The attacker called the withdraw function and obtained 38.9 million DAI, which they used to repay the 30 million DAI borrowed through the flash loan. They profited 8.87 million DAI from the attack.

Core Vulnerability

First, let’s take a look at the donateToReserves function, which is where users become vulnerable to liquidation.

Comparing the donateToReserves function to the mint function in the diagram below, we can see that a key step, checkLiquidity, is missing from the donateToReserves function.

Next, we followed up and examined the implementation of checkLiquidity. We discovered the Call InternalModule function, which calls the RiskManager to check and ensure that Etoken > Dtoken for the user.

It is necessary to check the user’s liquidity each time an operation is performed by calling checkLiquidity.

However, the donateToReserves function does not execute this operation, allowing users to first put themselves in a state of liquidation through certain functions of the protocol, and then complete the liquidation.

Attack Reproduction

The Numen Cyber Lab’s team has managed to reproduce the attack.

You may find out more details on the PoC at https://github.com/numencyber/SmartContractHack_PoC/tree/main/EulerfinanceHack

Conclusion

Euler Finance have confirmed the attack on their official Twitter (@eulerfinance) and have stated that they are currently collaborating with security professionals and law enforcement to address the issue.

The recent attack on the Euler Finance protocol highlights the importance of implementing rigorous security measures, such as conducting thorough audits and regularly checking for vulnerabilities.

As the decentralized finance ecosystem continues to grow, it is crucial for projects to prioritize the security of their users’ funds and adopt best practices to mitigate the risk of similar attacks in the future.

Note

This article was originally posted on our website’s blog. Subsequent articles will be posted first on our website and Medium after a slight delay.

Please stay tuned and follow our Twitter @numencyber for any future updates.

Euler Finance
Comments

All Comments

Recommended for you

  • Crypto trading ecosystem LazyBear completes strategic financing of 4 million USDT

    The cryptocurrency trading ecosystem LazyBear announced the completion of a strategic financing of 4 million USDT, with participation from Gogeko Labs, DWF Labs, Shadow Labs, Salad Labs, Bees Network, REI Network, IBIT, Crypto Bullish, SYNBO Protocol, Bazaars, Sypool, Bitcoin Gbox, GemX Crypto, Wikibit, and others. It is reported that LazyBear is a cryptocurrency trading ecosystem for retail traders, committed to providing users with an industry-leading, low-fee, inclusive, and enjoyable trading experience.

  • Tether Invests $200M in Majority Stake of Brain-Computer Interface Company Blackrock Neurotech

    Tether's venture capital division, Tether Evo, has invested $200 million to acquire a majority stake in Blackrock Neurotech, a company that develops medical devices powered by brain signals to aid those impacted by paralysis and neurological disorders. The investment will fund the roll-out and commercialization of the devices and research and development purposes. Tether, the issuer of stablecoin USDT, has recently established four divisions to expand beyond stablecoin issuance and believes in nurturing emerging technologies with transformative capabilities. Paolo Ardoino, CEO of Tether, stated that Blackrock Neurotech's brain-computer-interfaces have the potential to open new realms of communication, rehabilitation, and cognitive enhancement.

  • Turnkey Raises $15M Series A Funding to Expand Wallet Infrastructure for Crypto Developers

    New York-based Turnkey has secured $15m in Series A funding led by Lightspeed Faction and Galaxy Ventures, with participation from Sequoia, Coinbase Ventures, Alchemy, Figment Capital, and Mirana Ventures. The company, founded by the team behind Coinbase Custody, offers a wallet infrastructure that enables developers to build anything that involves a wallet or cryptographic transaction. Turnkey plans to use the funds to expand operations and development efforts, and has already integrated with companies including Alchemy, Dynamic, Goldfinch, Halliday, Thunder Terminal, and Kinto. The product suite offers embedded and smart wallet services, biometric passkey logins, and seamless onboarding experiences for users.

  • Thai regulator to crack down on deceptive cryptocurrency ads

    Cryptocurrency advertisements that contain false, exaggerated, distorted, concealed, or misleading information violate Thai regulations. Regulatory agencies in major cryptocurrency markets have also taken similar measures to minimize investment losses in cryptocurrencies. For example, the UK Financial Conduct Authority (FCA) issued 450 illegal cryptocurrency advertising alerts in 2023 alone. In addition, in November 2023, the Spanish National Securities Market Commission, the main securities market regulatory agency, condemned fraudulent cryptocurrency asset promotion activities on X and reiterated the company's obligation to comply with local laws. The Thai Securities and Exchange Commission reminded cryptocurrency exchanges to include appropriate warnings about investment risks and to avoid attracting new users through special promotions. He warned that violating the above guidelines would result in "legal punishment".

  • Russia to impose cryptocurrency restrictions, exempting miners and central bank projects

    Russia will implement cryptocurrency restrictions, exempting miners and central bank projects. Starting from September 1st, Russia will impose strict restrictions on the circulation of cryptocurrencies such as Bitcoin, only allowing the issuance of digital financial assets within its jurisdiction. Anatoly Aksakov, Chairman of the Financial Market Committee of the State Duma, led this initiative. This is part of a wider government effort to control the cryptocurrency ecosystem in the face of escalating geopolitical tensions. Aksakov stated that the upcoming legislation aims to restrict non-Russian cryptocurrency transactions to strengthen the dominance of the ruble. Meanwhile, recent reports indicate that Russian entities have used cryptocurrencies, particularly Tether's USDT, to purchase key components for military technology.

  • Ethereum stablecoin transaction volume exceeds $1 trillion so far in April, setting a new record

    On April 29th, The Block data shows that as of April 28th, the trading volume of stablecoins on the Ethereum blockchain reached a record high of $1.08 trillion in April, with DAI trading volume ranking first at $578.07 billion, followed by USDC at $268.15 billion in second place, and USDT at $198.62 billion in third place.

  • Shenyu: Up to one billion users' cloud input methods may have leaked input content. Please take immediate measures to reduce the risk.

    On April 29th, Cobo co-founder and CEO Shen Yu wrote on X platform that the cloud input method used by up to one billion users may have leaked input content. If you have entered mnemonic words or other sensitive information through any of the following cloud input methods, please take immediate measures to reduce the risk.

  • EU member states prepare to enforce landmark crypto law, MiCA

    The European Union is set to enforce MiCA, a crypto law that mandates national regulators to license and supervise service providers. While the regulation is EU-wide, countries can implement slightly different technical standards that crypto firms must adhere to. MiCA's specialized rules for stablecoin issuers will take effect in a few months, followed by licensing and other requirements for crypto firms broadly in December. Each jurisdiction must transpose the EU regulation into local law, select which of their regulators will oversee crypto, and prepare to authorize token issuers and other service providers. Regulators are facing challenges in implementing the new legislation, particularly in terms of licensing requirements, and each country's crypto industry has its own concerns about implementation and proposed laws.

  • The total open interest of BTC contracts on the entire network dropped to $29.83 billion

    According to Coinglass data, the total open position of BTC futures contracts on the entire network is 478,180 BTC, equivalent to 29.83 billion US dollars.

  • An independent Bitcoin miner obtained the entire 3.125 BTC block reward by verifying block 841,286

    On April 29th, independent mining pool ckpool's software engineer and administrator Con Kolivas posted on social media that a miner had mined the 282nd independent block in Bitcoin history. The miner's computing power at the time was about 120PH, which is equivalent to about 0.12 EH, with an average of about 12 PH per week, accounting for about 0.02% of the total network hash rate.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company