Cointime

Download App
iOS & Android

$197 Million Stolen: Euler Finance Flash Loan Attack Explained [UPDATED 3/17/23]

New updates, 3/17/23: Possible North Korean involvement

Early in the morning of March 17, 2023, 100 ETH stolen in the Euler Finance hack moved to an address that previously received funds stolen in the Axie Infinity Ronin Bridge hack, which was carried out by the North Korean hacking syndicate Lazarus Group.

This could also mean that the Euler Finance hack was also carried out by Lazarus Group. However, we can’t yet know for sure — it’s possible that this movement of funds was an attempt at misdirection by another hacking group. We will continue to monitor the situation and provide updates as possible.

Original post: Analysis of Euler Finance flash loan attack

On March 13, 2023, Euler Finance, a permissionless borrowing and lending protocol on Ethereum, was the victim of a flash loan attack. Euler Finance isn’t the first DeFi hack victim this year — dForce and Platypus were similarly targeted in February — but it is unfortunately the largest. At a whopping near-$200 million loss, hackers stole funds in USDC, wrapped Bitcoin (wBTC), staked Ether (stETH), and DAI, an algorithmic stablecoin maintained by MakerDAO. A hack of this magnitude illustrates both the ongoing threats to widely used DeFi protocols and the potential hacking abuses opened up by flash loans.

In this blog, we’ll explore how flash loans work, how hackers stole funds from Euler Finance, and how the effects of flash loan attacks may be mitigated in the future.

What is a flash loan?

Before analyzing the details of the Euler hack, it is important to understand how flash loans typically work. Flash loans are executed by smart contracts and enable participants to quickly borrow funds without the need for collateral. However, these loans must be repaid in full within the same transaction, or else the entire transaction, including the loan itself, will be reversed. Flash loans are attractive for DeFi traders looking to maximize arbitrage opportunities. They are also commonly used for swapping collateral and self-liquidation.

Although there are several legitimate uses of flash loans, hackers can also use them to manipulate DeFi protocols’ pricing oracles. They do this by taking advantage of the lack of collateralization to borrow huge amounts of funds, which they can then use to manipulate token prices, typically by buying or short selling high volumes of tokens with thin supply levels.

How the Euler Finance flash loan attack occurred

When users borrow and lend using the Euler Finance platform, they primarily transact with two types of tokens: eTokens (which represent collateral) and dTokens (which represent debt). Euler issues eTokens based on the types of funds deposited by users; dTokens automatically trigger on-chain liquidation when the platform holds more dTokens than eTokens.

The hack was made possible by a liquidity issue in the DonateToReserve function of the eToken. This function was properly burning eTokens, but not dTokens, leading to an incorrect conversion of borrowed assets to collateralized assets. Euler’s hacker took advantage of these inconsistencies to create a false impression that the platform had a low amount of deposited eTokens and fake debt due to the fact that the dTokens were not burned.

We currently have reason to believe that there were two primary on-chain entities involved in the hack: a front-running MEV bot (using the wallet 0x5F259D0b76665c337c6104145894F4D1D2758B8c) and the hacker’s primary personal wallet (using the wallet 0xb66cd966670d962C227B3EABA30a872DbFb995db). The hacker hardcoded their lending contract so that the personal wallet received most of the funds, regardless of which entity executed which transactions.

The hacker received initial funding from the sanctioned mixer Tornado Cash for gas fees and to create the contracts used in the exploit, then initiated a flash loan to borrow around $30 million in DAI from the DeFi protocol Aave. After this, the hacker deposited $20 million of that DAI into Euler’s platform, receiving a similar amount in eDAI tokens. By leveraging Euler’s borrowing capabilities, the hacker was able to borrow 10 times the original deposited amount. The hacker then used the remaining $10 million in DAI from the original loan to repay part of the acquired debt (dDAI) and reused the mint function to borrow again until the flash loan was closed. After the hack was complete, the hacker moved some of the funds back to Tornado Cash. Investigators would need to employ advanced investigative techniques like those Chainalysis offers to pursue the funds further.

We can see some of these steps in the Chainalysis Storyline graph below:

Open in new tab to enlarge

Overall, Euler lost roughly $197 million worth of cryptocurrency, spread across DAI, wBTC, stETH, and USDC. Additionally, Euler’s native token, EUL, declined more than 45%.

Reducing hacking risks

Although it can be difficult to identify DeFi platform vulnerabilities, there may be several methods to mitigate risk of flash loan attacks to protect cryptocurrency participants from similar catastrophic events. For instance, circuit breakers could be used to temporarily halt protocols when there are unusually large price movements or outflows so that hacks can be stopped early. We will continue to monitor the Euler hack situation and provide updates as possible.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.

Read more: https://blog.chainalysis.com/reports/euler-finance-flash-loan-attack/

Comments

All Comments

There are no comments yet, why not be the first?

Recommended for you

  • Ministry of Public Security: Telecom fraud groups are using blockchain, virtual currency and AI technology to upgrade their criminal methods

     Beijing Business Daily reported that at a press conference held by the Ministry of Public Security on January 10, it was announced that as of the end of 2024, more than 53,000 Chinese criminal suspects involved in telecommunications fraud in Myanmar's northern region have been arrested, and the "Four Major Families" criminal groups in Myanmar's northern region have been successfully destroyed. The Ministry of Public Security pointed out that although the crackdown has achieved significant results, the crime situation is still severe. Fraudulent groups are constantly upgrading their criminal tools using new technologies such as blockchain, virtual currency, and AI intelligence. These groups are well-organized and engage in illegal activities such as cross-border cooperation in app development, traffic diversion and promotion, and money laundering. Fraudsters tailor their scripts to target victims of different ages, professions, and educational backgrounds, and the victims are widespread. Although the telecommunications fraud park near the Chinese border in Myanmar's northern region has been cleared, there are still many fraudulent dens operating overseas under the guise of "technology parks" and "development zones".

  • Turkish AI studio Grand Games receives $30 million in Series A funding led by Balderton Capital

    Turkish AI studio Grand Games has raised $30 million in Series A funding, led by London investment firm Balderton Capital, with other investors including Bek Ventures, Laton Ventures, and angel investor Mert Gür. The company plans to use the funds to expand its workforce and continue developing games while maintaining its existing structure. Grand Games is a mobile game publisher based in Turkey, known for casual games such as "Magic Sort" and "Car Match," and has been in operation for less than a year.

  • Today's Fear and Greed Index dropped to 70, and the level changed from Extreme Greed to Greed.

    today's panic and greed index has dropped to 70 (down from 78 yesterday), changing from extreme greed to greed. Note: The panic index threshold is 0-100 and includes indicators such as volatility (25%) + market trading volume (25%) + social media popularity (15%) + market surveys (15%) + bitcoin's proportion in the entire market (10%) + Google keyword analysis (10%).

  • Hong Kong police cracked down on a scam group that used deepfake technology to trick others into investing in virtual currency, involving about 34 million yuan

    Hong Kong police recently busted a virtual currency fraud group that used deepfake technology to lure others into investing through social media platforms, involving about 34 million yuan. Hong Kong police's commercial crime department arrested 31 people between the ages of 20 and 34 last week in two office buildings in Kowloon Bay, some of whom claimed to be students or unemployed, involved in the same fraud group, and seized their pre-set "scripts".

  • Biden: We will gather tomorrow to certify the results of a free and fair presidential election to ensure a peaceful transfer of power

     US President Biden said, "Tomorrow is January 6th. We are gathered here to certify a free and fair presidential election result to ensure a peaceful transfer of power." 

  • Today's Fear and Greed Index rose to 76, and the level changed from Greedy to Extreme Greedy

    today's panic and greed index rose to 76 (yesterday was 72), and the level changed from greed to extreme greed.

  • Solv Protocol's official X account was stolen and published false information, please beware of the risks

    according to SlowMist's monitoring, the official X account of Solv Protocol has been hacked and false information has been released. Please stay vigilant and beware of risks.

  • Dennis Porter: At least 13 states are developing “strategic bitcoin reserve” legislation

    Satoshi Action Fund (SAF) co-founder and CEO Dennis Porter stated in a post on X platform that it can be confirmed that at least 13 states are drafting legislation for "strategic bitcoin reserves". January will be a record-breaking month for bitcoin policy.

  • South Korea's Public Prosecutor's Office suspends execution of Yoon Seok-yeol arrest warrant

    According to a report from Korean News Agency, due to the ongoing standoff, the Korean Public Officials Crime Investigation Department stated that the execution of the arrest warrant was stopped at 1:30 p.m. local time today (January 3), which is 12:30 p.m. Beijing time. Currently, the personnel from the Public Officials Crime Investigation Department and the police who were executing the arrest warrant have left the presidential palace. 

  • DeFi TVL exceeds $95 billion again

    According to defillama data, as of May 18, 2024, the total value locked (TVL) in DeFi has once again surpassed $95 billion. It is currently reported at $95.069 billion, an increase of nearly $12 billion from the low point of $83.04 billion 35 days ago. Among the top five protocols in terms of TVL, Eigenlayer has the highest 30-day increase, with TVL rising by 19.67% to a total of $15.455 billion.