Euler Finance, a DeFi lending protocol, was hit by a flash loan attack on March 13, resulting in the largest cryptocurrency hack of 2023 thus far. The attack resulted in a loss of almost $197 million, impacting over 11 other DeFi protocols. To block deposits, Euler Finance disabled the vulnerable etoken module and donation function.
Euler Finance updated its users on March 14, notifying them of the disabled features and the situation. The firm has been working with various security groups to conduct audits of its protocol, and the vulnerable code had been reviewed and approved during an external audit. However, the vulnerability persisted on-chain for eight months before it was exploited, despite a $1 million bug bounty.
Sherlock, an audit group that had previously collaborated with Euler Finance, verified the root cause of the exploit and assisted Euler in filing a claim. The audit protocol voted on the claim for $4.5 million, which was approved, and a $3.3 million payout was later made on March 14.
According to the audit report, the exploit’s main cause was a missing health check in the “donateToReserves” function, which was a new addition in EIP-14. The protocol emphasized that the attack was still technically feasible even before EIP-14.
Sherlock also noted that the Euler audit conducted by WatchPug in July 2022 failed to identify the critical vulnerability that eventually led to the attack in March 2023. To investigate and recover the funds, Euler has also contacted leading on-chain analytic and blockchain security firms such as TRM Labs, Chainalysis, and the broader ETH security community.
Euler Finance has stated that it is also attempting to contact those responsible for the attack to learn more about the issue and potentially negotiate a bounty to recover the stolen funds. This incident highlights the importance of conducting regular audits of DeFi protocols to identify vulnerabilities and prevent attacks. As DeFi continues to expand and attract more users, security and reliability will become even more critical to the industry’s success.