Audits
Services
DualDefense
Hacken Audit + Additional Crowdsourced Audit
Learn more
Services
DualDefense
Smart Contract Audit
Blockchain Protocol Audit
DORA Compliance
Virtual CISO
Penetration Testing
Cloud Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit
Retainer
DualDefense
New Approach To Blockchain Security
Hacken Audit + Additional Crowdsourced Audit
At no extra cost
2 in 1
Dual-layered protection
$0
Costs
30-Day
Crowdsourced audit
Independent
HackenProof bug hunters
Learn more
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company
Community
Community
- $HAI

The Euler Finance Hack Explained

The Euler Finance Hack Explained

4 minutes

The crypto industry was shaken a bit on the 13th of March, 2023. An attacker exploited the Euler Finance protocol for a record-breaking $187 million flash-loan attack.

? Euler Finance (@eulerfinance) has been exploited

? Amount stolen is approximately $187M

Stolen assets include $stETH, $USDC, $WBTC

More details in the thread below ⬇️

?…
— Hacken?? (@hackenclub) March 13, 2023

According to on-chain reports, the hacker stole $187 million from the Euler Finance protocol. So far, this tops the list of the biggest hacks in 2023. How did it happen?

Inside the Attack

The hacker created three contracts; a primary one, then two others for violation and liquidation. They got a flashloan of 30 million DAI from Aave, a flashloan protocol, and sent it to the violation contract.

The hacker deposited 20 million DAI to Euler Protocol and got approximately 19.6 million eDAI in return. Then they leveraged the 19.6 million eDAI to borrow approximately 195.6 million eDAI and 200 million dDAI.

Recall that the hacker still has 10 million DAI left out of the 30 million DAI they borrowed. They used the remaining 10 million DAI to repay some of their debt. This was important because the Euler Finance smart contract checks the health score of borrowing accounts. Balance is now 190 million dDAI. Then they borrowed another 195.6 million eDAI and 200 million dDAI.

At this point, the hacker donated 100 million eDAI to the Euler protocol reserve. This call was successful because the donateToReserve function has no liquidity check. The liquidation call was successful, and the attacker got 254 million dDAI and 310 million eDAI. They repaid Aave its 30 million DAI and made about 8.7 million DAI from the exploit.

It didn’t end there. The attacker also used this address [00x47ac3527d02e6b9631c77fad1cdee7bfa77a8a7bfd4880dccbda5146ace4088f] to execute this same attack logic with WETH.

The attacker’s actions:

borrowed 20895 WETH flashloan from Aave
deposited 13930 WETH into the EToken pool
minted ETokens and received 13930 from the pool
paid 6965 WETH to improve health score
minted 13930 WETH and donated 69650 WETH
the liquidation contract received 28994 WETH
paid back Aave and took away 8099 ETH ($135,630,71)

What were the vulnerabilities?

After careful analysis, we discovered that the hacker exploited two vulnerabilities in the Euler Finance contract.

1. Lack of liquidity checks on the donateToReserves function. The donateToReserve function allows the users of Euler to deposit funds into the reserved address. Everyone who calls this function has both Debt Token (DToken) and Equity Token (EToken).

The main vulnerability of this function is that it doesn’t check or confirm the liquidity status of the borrower. So the users can under-collateralize their leverage by donating their Equity Tokens to the reserve while their Debt Tokens remain unchanged. This creates a form of technical bad debt. So the hacker’s liquidation contract successfully withdrew from the protocol.

2. The Healthscore Flaw. Euler finance has a design for assigning health scores to accounts. It allows insolvent accounts to get the collateral without repaying the outstanding debt. This was spelled out in the computeLiqOpp function.

The logic behind this code block is that seizing all the borrower’s collateral does not necessarily mean they will still be solvent. Hence, whatever collateral they have left should suffice. However, an attacker can exploit this logic by carrying out under-collateralized leverage.

How is the Euler Finance team handling the situation?

On the 14th of March, the Euler team issued a release on their Twitter account and mentioned their 3 action steps:

Stop the attack
Engage more ETH Security companies
Involve the law enforcement agencies
Possibly negotiate with the hacker

Lessons Learned from the Attack

While the Euler team is trying to recover from the attack, there are a few lessons from this exploit:

Test thoroughly. On a closer look, the donateToReserve function was not properly tested. As seen on their GitHub, It was not tested for donating after borrowing and health score after donating. The team could have mitigated this attack if they had tested the vulnerable function against every possible scenario. This is more critical when new logic and functions are introduced to an existing codebase. As in the case of the donateToReserve function, test new improvements in the smart contract.

Audit more rigorously. Six Web3 security companies had audited Euler Finance, yet this attack occurred. It’s fair to say that not all audits reviewed the faulty function. Still, some audits are not done deeply and can leave out of scope important functions, so it’s better to have a comprehensive audit.

Request a Smart Contract Audit that makes a difference.