Euler DeFi Protocol Exploited for Nearly $200M

Decentralized-finance (DeFi) lending protocol Euler Finance has suffered an exploit that resulted in almost $200 million being lost.

The losses occurred over four transactions in dai (DAI), wrapped bitcoin (WBTC), staked ether (sETH) and USDC, according to smart contract auditor BlockSec. The attacker used a flash loan to conduct the attack.

"We are aware and our team is currently working with security professionals and law enforcement," Euler Finance said in a tweet. "We will release further information as soon as we have it."

Flash loans allow DeFi users to borrow millions of dollars against zero collateral. This isn’t crypto magic or free money: The loan must be repaid before the transaction ends or the smart contract reverses the transaction – as if the loan never existed. They are a popular way for attackers to gain funds to conduct exploits on decentralized systems. In April 2022, the Beanstalk stablecoin protocol was drained of $182 million, and in May 2022, more than $1.2 million was taken from Inverse Finance.

Euler's attackers used the loan to temporarily trick the protocol into falsely assuming it held a low amount of eToken, a collateral token issued by Euler based on whichever token is deposited on the protocol. A separate dToken, or debt token, is also issued by Euler so that an on-chain liquidation is automatically triggered when the amount of dTokens exceeds the amount of eTokens held on the platform.

The attacker took out over $30 million worth of dai stablecoin using flash loans from DeFi protocols Balancer and Aave, on-chain data shows. Some $20 million of that was sent to Euler, on which the attacker received $19.5 million worth of eDAI.

The attacker then borrowed 10 times the deposited amount from Euler, receiving 195.6 million eDAI and 200 million dDAI. The attacker repaid part of the initial debt using the remaining funds, tricking the protocol into falsely assuming it owed more to depositors than it held.

DeFi exploits – in which hackers make use of the open-source nature of a platform's code to gain unauthorized access to its assets – are one of the foremost problems plaguing the industry.

According to blockchain analytics firm Chainalysis, over $3 billion was stolen from DeFi protocols via hacks or exploits in 2022.

Read more: Oasis Exploits Its Own Wallet Software to Seize Crypto Stolen in Wormhole Hack

UPDATE (March 13, 10:10 UTC): Adds comment from Euler Finance and information on the nature of exploits and their prevalence in the DeFi industry

UPDATE (March 13, 12:15 UTC): Updates amount taken in headline, first paragraph; adds attack vector in second paragraph, attack details starting in fifth.