Euler Finance, a decentralized finance (DeFi) lending protocol on Ethereum, has lost approximately $200 million through a flash loan hack. This loss makes it the biggest DeFi hack in 2023.
Euler Finance’s $200 Million Exploit
On Mar. 13, 2023, Euler Finance confirmed that it had suffered an attack, resulting in approximately a $200 million loss. The protocol is now working with law enforcement and security professionals.
We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it. https://t.co/bjm6xyYcxf
— Euler Labs (@eulerfinance) March 13, 2023
To execute the hack, the attacker targeted four tokens: DAI, an algorithmic stablecoin; wrapped-Bitcoin (WBTC); staked-Ethereum (sETH); and USDC, a fiat-backed stablecoin. In recent months, Euler Finance has become popular for offering liquid staking derivatives (LSD) services. Notably, it comes ahead of the Shanghai-Capella upgrade on Ethereum, a smart contract platform.
According to Dedaub, a smart contract auditing service provider, the attacker used flash loans from Aave, a non-custodial lending protocol, to carry out the attack. Ahead of this, funds were first bridged from BNB Smart Chain (BSC) before it was deployed to break Euler Finance.
In a flash loan attack, the attacker borrows a large token amount without collateral, typically using a flash loan. Afterward, they use that loan to manipulate other tokens’ value in a pool, in most cases driving down the price of the target asset. With this, they can buy that token at a lower price and quickly sell it back for a profit once the price recovers.
The Flash Loan Attack
In Euler Finance’s case, the flash loan was leveraged in two instances forcing massive liquidations. Specifically, the attacker tricked the protocol into falsely assuming it held a low amount of eToken, a collateral token issued by Euler based on whichever token is deposited on the protocol.
They then borrowed 10x the deposited amount from Euler, receiving 195.6 million eDAI and 200 million dDAI.
Euler suffered an attack
Analyzing 1 tx that shows an $8.9m+ return for the attacker
1. Flash loan2. Deposit 20m DAI3. Mint 200m eDAI4. Repay 10m DAI5. Mint 200m eDAI6. Donate 100m eDAI to reserves7. Liquidate yourself for 259m eDAI yields 38.9m DAI8. Close flashloan pic.twitter.com/8cjHwDgX3y
— Dedaub (@dedaub) March 13, 2023
This type of exploit is known as a liquidity attack. It’s also one of the most common types of DeFi hacks.
Essentially, attackers manipulate the protocol’s liquidity calculations, which allows the attacker to borrow more funds than they should be able to, leading to massive losses for the protocol and its users.
The Euler hack is the latest in many DeFi exploits that have plagued the industry recently. According to blockchain analytics firm Chainalysis, over $3 billion was stolen from DeFi protocols via hacks or exploits in 2022 alone.
2/ At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. So far, hackers have grossed over $3 billion dollars across 125 hacks. pic.twitter.com/vgT3pz2iOu
— Chainalysis (@chainalysis) October 12, 2022
DeFiLlama data shows hackers stole over $20 million in February 2023. Among those targeted include Orion, dForce network, and Platypus Finance.
In February, the dForce network lost $3.65 million, while Platypus Finance was hacked for over $8 million.