Largest Hack of 2023: Euler Finance Suffers Massive $196M Loss in Flash Loan Attack
On March 13th, Euler Finance, a lending protocol on the Ethereum blockchain, experienced a flash loan attack, resulting in the theft of millions worth of Dai, USDC, Staked Ether (StETH), and Wrapped Bitcoin (WBTC).
Using multiple transactions, the attacker has managed to steal almost $196 million, making it the largest hack of 2023 so far, according to on-chain data.
According to Cointelegraph, the breakdown of stolen funds is as follows:
Crypto analytics firm Meta Seluth reported that the recent attack on Euler Finance is linked to a similar deflation attack that occurred a month ago.
The attacker used a multichain bridge to transfer the stolen funds from Binance Smart Chain to Ethereum and carried out the attack.
Another on-chain investigator, ZachXBT, noted that the attack bears similarities to a previous hack that targeted a Binance Smart Chain-based protocol. The stolen funds are now in the hacker’s addresses and include Dai and ETH.
Euler Finance confirmed the breach and announced that they are collaborating with law enforcement and security professionals to find a solution to the issue.
Slowmist, a blockchain security firm, conducted a thorough analysis of the attack and concluded that the attacker utilized flash loans to deposit funds and then used them twice to initiate liquidation.
The funds were then donated to the reserved address and a self-liquidation was carried out to claim any remaining assets. Two factors enabled the exploit to be successful.
Based on Cointelegraph’s data, firstly, the funds were transferred to the reserved address without undergoing a liquidity check, which activated a soft liquidation process.
Secondly, the high leverage triggered the soft liquidation process, allowing the attacker to take most of the collateral funds from the liquidated user’s account by transferring only a portion of the liabilities to themselves.
According to Gustavo Gonzalez, a solutions developer at blockchain security firm OpenZeppelin, the flash loan attack on Euler Finance was executed in a single transaction per pool using AAVE.
Gonzalez explained that a smart contract bug in Euler Finance failed to conduct a health factor check during the donateToReservers() function execution. This allowed the attacker to liquidate themselves from the protocol, repay the flashloan, and earn a massive profit.
It is worth noting that Euler Finance had raised $32 million from a funding round last year, which included participation from Coinbase, FTX, Jump, Jane Street, and Uniswap.
Euler Finance had become popular for providing liquid staking derivatives (LSDs), which enable stakers to maximize their returns by unlocking liquidity for staked cryptocurrencies like Ether.
At present, LSDs account for 20% of the total value locked in decentralized finance protocols.