Lending protocol Euler Finance suffered an exploit that resulted in hackers stealing over $196 million in crypto. Another 11 decentralized finance (DeFi) protocols were affected in the incident, losing a total of ~$37.6 million.
On March 13, the DeFi protocol Euler Finance suffered a flash loan attack. Attackers managed to steal more than $196 million.
The Euler Finance team confirmed the exploit and said they had begun investigating the incident with security experts and law enforcement. According to BlockSec, hackers stole:
- 8.8 million DAI (~$8.7 million);
- 34.4 million USDC (~$33.9 million);
- 849 WBTC (~$18.5 million);
- 85,800 stETH (~$135.8 million).
Slowmist’s investigation found that due to a bug, attackers used the same flash loan twice — for collateral and liquidation. Other DeFi protocols that were linked to Euler in one way or another at the time of the exploit were also affected by the hack:
- Balancer. One of the AMM protocol pools lost 65% of TVL as ~$11.9 million was sent from it to Euler during the hack. The protocol emergency mechanism was forced to block the remaining funds in the pool.
- Angle Protocol. The protocol team reported that they lost ~$17.6 million USDC as a result of the Euler exploit, which could significantly affect the liquidity of agEUR, so its minting was temporarily suspended.
- Idle Finance. Seven DeFi Protocol pools were affected during the exploit, with ~$5.9 million in USDC, USDT, and WETH stolen. The team was forced to freeze any remaining funds in the pools.
- Yearn Finance. The platform’s liquidity pools were also hit by the exploit. The team reports a possible loss of ~$1.5 million.
- InverseFinance. One of the protocol’s pools suffered an $860,000 loss due to interacting with Balancer at the time of the exploit.
- SwissBorg. The project team reported that “a small portion of SwissBorg’s Smart Yield Program was impacted,” no specific amount was mentioned. However, all funds were instantly compensated to users thanks to a “risk management procedure.”
It also became known about possible losses of several other DeFi protocols: Opyn, Mean, Sense, and Harvest. However, the project teams didn’t provide specific figures. Thus, the Euler exploit impacted at least 11 different DeFi protocols, which collectively lost $37.6 million.
Auditors at Sherlock pointed out that the current exploit resulted from WatchPug’s negligence when it conducted a security audit of Euler in July 2022 and missed a critical vulnerability.
The project team confirmed that the vulnerability the hackers exploited had indeed existed in the chain for eight months and hadn’t been detected by white hats. Notably, the bug bounty protocol program offered $1 million for discovering the vulnerability. Hackers took the opportunity to perform a donateToReservers function where, thanks to a bug, no “proper account health check” was performed.
As a result of the exploit, the Euler Finance lending protocol lost more than 96% of TVL. According to DeFiLlama, over $263 million in crypto was blocked in the protocol’s smart contracts on March 13 and just over $10 million on March 12.
Hacker activity appears to be gaining momentum. In January 2023, they stole only $740,000, in February their “catch” was bigger — $21 million. And due to hacking Euler Finance, March may set a new record after Hacktober 2022.