DcentraLab Diligence Analysis: Euler Finance Hack
Earlier today, a series of bizarre transactions on the Ethereum blockchain was noted by several members on Twitter. Once these transactions were analyzed and traced, it became clear that another significant hack had taken place. According to transactions on Etherscan, 8.89M DAI & 8,080 WETH were lost, totaling roughly $200M in damages to Euler Finance.
You can view these transactions here:
Euler Finance is a permissionless lending protocol built on Ethereum to help users lend and borrow different crypto assets. The protocol issued EUL token, which is traded on popular exchanges including KuCoin, Huobi, and Gemini.
The attack on Euler finance was complex, with more details emerging by the minute. The attack was possible via a design flaw in their “donate to reserve” smart contract. The smart contract was meant to liquidate bad debt & take the collateral. The hacker exploited this smart contract via a flash loan, which took advantage of the flaw.
The flash loan and exploit can be viewed here.
The hacker likely used a custom contract they wrote to call the flawed logic repetitively and take out as much funds as possible.
While the identity of the attacker is unknown, their Ethereum wallet is. With the popular Ethereum mixer, Tornado Cash, not being as active as in the past, the hacker will likely choose a different route to hide stolen funds. A likely option is that the hacker may attempt to swap their holdings to BTC and then use a Bitcoin mixer, such as a CoinJoin protocol.
Vulnerabilities such as those seen in Euler Finance might have been avoidable with proper smart contract audits. Audit your code with DcentraLab Diligence.
Special thanks to the Twitter users @peckshield and @officer_cia.