Euler Finance attack: How it happened, and what can be learned

The March 13 flash indebtedness attack against Euler Finance resulted successful implicit $195 cardinal successful losses. It caused a contagion to dispersed done aggregate decentralized concern (DeFi) protocols, and astatine slightest 11 protocols different than Euler suffered losses due to the attack.

Over the adjacent 23 days, and to the large alleviation of galore Euler users, the attacker returned each of the exploited funds.

But portion the crypto assemblage tin observe the instrumentality of the funds, the question remains whether akin attacks whitethorn origin monolithic losses successful the future.

An investigation of however the onslaught happened and whether developers and users tin bash thing to assistance forestall these kinds of attacks successful the aboriginal whitethorn beryllium helpful.

Luckily, Euler’s developer docs intelligibly explicate however the protocol works, and the blockchain itself has preserved a implicit grounds of the attack. 

How Euler Finance works

According to the protocol’s authoritative docs, Euler is simply a lending level akin to Compound oregon Aave. Users tin deposit crypto and let the protocol to lend it to others, oregon they tin usage a deposit arsenic collateral to get crypto.

The worth of a user’s collateral indispensable ever beryllium much than what they borrow. Suppose a user’s collateral falls beneath a circumstantial ratio of collateral worth to indebtedness value. In that case, the level volition let them to beryllium “liquidated,” meaning their collateral volition beryllium sold disconnected to wage backmost their debts. The nonstop magnitude of collateral a idiosyncratic needs depends upon the plus being deposited vs. the plus being borrowed.

eTokens are assets, portion dTokens are debts

Whenever users deposit to Euler, they receive eTokens representing the deposited coins. For example, if a idiosyncratic deposits 1,000 USD Coin (USDC), they volition person the aforesaid magnitude of eUSDC successful exchange.

Since they go worthy much than the underlying coins arsenic the deposit earns interest, eTokens don’t person a 1:1 correspondence with the underlying plus successful presumption of value.

Euler besides allows users to summation leverage by minting eTokens. But if they bash this, the protocol volition nonstop them indebtedness tokens (dTokens) to equilibrium retired the assets created.

For example, the docs accidental that if a idiosyncratic deposits 1,000 USDC, they tin mint 5,000 eUSDC. However, if they bash this, the protocol volition besides nonstop them 5,000 of a indebtedness token called “dUSDC.”

The transportation relation for a dToken is written otherwise than a modular ERC-20 token. If you ain a indebtedness token, you can’t transportation it to different person, but anyone tin instrumentality a dToken from you if they privation to.

Related: Liquidity protocol Sentiment exploited for implicit $500K

According to the Euler docs, a idiosyncratic tin lone mint arsenic galore eTokens arsenic they would person been capable to by depositing and borrowing implicit and implicit again, arsenic it states, “The Mint relation mimics what would hap if a idiosyncratic deposited $1,000 USDC, past borrowed $900 USDC, past redeposited that $900 USDC, to get $810 much USDC, and truthful on.”

Users liquidated if wellness scores driblet to 1 oregon below

According to a blog station from Euler, each idiosyncratic has a “health score” based connected the worth of the eTokens held successful their wallets vs. the worth of the dTokens held. A idiosyncratic needs to person a greater dollar worth of eTokens than dTokens, but however overmuch much depends connected the peculiar coins they are borrowing oregon depositing. Regardless, a idiosyncratic with capable eTokens volition person a wellness people greater than 1.

If the idiosyncratic hardly falls beneath the required fig of eTokens, they volition person a wellness people of precisely 1. This volition taxable them to “soft liquidation.” Liquidator bots tin telephone a relation to transportation immoderate of the user’s eTokens and dTokens to themselves until the borrower’s wellness people returns to 1.25. Since a idiosyncratic who is hardly beneath the collateral requirements volition inactive person much collateral than debt, the liquidator should nett from this transaction.

If a user’s wellness people falls beneath 1, past an expanding discount is fixed retired to the liquidator based connected however atrocious the wellness people is. The worse the wellness score, the greater the discount to the liquidator. This is intended to marque definite that idiosyncratic volition ever liquidate an relationship earlier it accumulates excessively overmuch atrocious debt.

Euler’s station claims that different protocols connection a “fixed discount” for liquidation and argues wherefore it thinks adaptable discounts are superior.

How the Euler onslaught happened

Blockchain information reveals that the attacker engaged successful a bid of attacks that drained assorted tokens from the protocol. The archetypal onslaught drained astir $8.9 cardinal worthy of Dai (DAI) from the Dai deposit pool. It was past repeated implicit and implicit again for different deposit pools until the full magnitude was drained.

The attacker utilized 3 antithetic Ethereum addresses to execute the attack. The archetypal was a astute contract, which Etherscan has labeled “Euler Exploit Contract 1,” utilized to get from Aave. The 2nd code was utilized to deposit and get from Euler, and the 3rd was utilized to execute a liquidation.

To debar having to repeatedly authorities the addresses that Etherscan has not labeled, the 2nd relationship volition beryllium referred to arsenic “Borrower” and the 3rd relationship “Liquidator,” arsenic shown below:

Ethereum addresses utilized by the hacker. Source: Etherscan

The archetypal onslaught consisted of 20 transactions successful the aforesaid block.

First, Euler Exploit Contract 1 borrowed 30 cardinal DAI from Aave successful a flash loan. It past sent this indebtedness to the borrower account.

After receiving the 30 cardinal DAI, borrower deposited 20 cardinal of it to Euler. Euler past responded by minting astir 19.6 cardinal eDAI and sending it to borrower.

These eDAI coins were a receipt for the deposit, truthful a corresponding magnitude of dDai was not minted successful the process. And since each eDAI tin beryllium redeemed for somewhat much than 1 DAI, the borrower lone received 19.6 cardinal alternatively of the afloat 20 million.

After performing this archetypal deposit, borrower minted astir 195.7 cardinal eDAI. In response, Euler minted 200 cardinal dDAI and sent it to borrower.

At this point, borrower was adjacent their eDAI mint limit, arsenic they had present borrowed astir 10 times the magnitude of DAI they had deposited. So their adjacent measurement was to wage disconnected immoderate of the debts. They deposited the different 10 cardinal DAI they had held onto, efficaciously paying backmost $10 cardinal of the loan. In response, Euler took 10 cardinal dDAI retired of borrower’s wallet and burned it, reducing borrower’s indebtedness by $10 million.

Related: Allbridge offers bounty to exploiter who stole $573K successful flash indebtedness attack

The attacker was past escaped to mint much eDAI. Borrower minted different 195.7 cardinal eDAI, bringing their eDAI full minted to astir 391.4 million. The 19.6 cardinal eDAI successful deposit receipts brought borrower’s eDAI full to astir 411 million.

In response, Euler minted different 200 cardinal dDai and sent it to borrower, bringing borrower’s full indebtedness to $400 million.

Once borrower had maximized their eDAI minting capacity, they sent 100 cardinal eDai to the null address, efficaciously destroying it.

This pushed their wellness people good beneath 1, arsenic they present had $400 cardinal successful indebtedness vs. astir $320 cardinal successful assets.

This is wherever the liquidator relationship comes in. It called the liquidate function, entering borrower’s code arsenic the relationship to beryllium liquidated.

Liquidation lawsuit emitted during the Euler attack. Source: Ethereum blockchain data

In response, Euler initiated the liquidation process. It archetypal took astir 254 cardinal dDAI from borrower and destroyed it, past minted 254 cardinal caller dDai and transferred it to liquidator. These 2 steps transferred $254 cardinal worthy of indebtedness from borrower to liquidator.

Next, Euler minted an further 5.08 cardinal dDAI and sent it to liquidator. This brought liquidator’s indebtedness to $260 million. Finally, Euler transferred astir 310.9 cardinal eDAI from borrower to liquidator, completing the liquidation process.

In the end, borrower was near with nary eDAI, nary DAI, and 146 cardinal dDAI. This meant that the relationship had nary assets and $146 cardinal worthy of debt.

On the different hand, liquidator had astir 310.9 cardinal eDAI and lone 260 cardinal dDAI.

Once the liquidation had been completed, liquidator redeemed 38 cardinal eDAI ($38.9 million), receiving 38.9 cardinal DAI successful return. They past returned 30 cardinal DAI positive involvement to Euler Exploiter Contract 1, which the declaration utilized to wage backmost the indebtedness from Aave.

In the end, liquidator was near with approx. $8.9 cardinal successful nett that had been exploited from different users of the protocol.

This onslaught was repeated for aggregate different tokens, including Wrapped Bitcoin (WBTC), Staked Ether (stETH) and USDC, amounting to $197 cardinal successful exploited cryptocurrencies.

Losses from Euler attack. Source: Blocksec

What went incorrect successful the Euler attack

Blockchain information firms Omniscia and SlowMist person analyzed the onslaught to effort and find what could person prevented it.

According to a March 13 study from Omniscia, the superior occupation with Euler was its “donateToReserves” function. This relation allowed the attacker to donate their eDAI to Euler reserves, removing assets from their wallet without removing a corresponding magnitude of debt. Omnisica says that this relation was not successful the archetypal mentation of Euler but was introduced successful Euler Improvement Proposal 14 (eIP-14).

The codification for eIP-14 reveals that it created a relation called donateToReserves, which allows the idiosyncratic to transportation tokens from their ain equilibrium to a protocol adaptable called “assetStorage.reserveBalance.” Whenever this relation is called, the declaration emits a “RequestDonate” lawsuit that provides accusation astir the transaction.

Blockchain information shows that this RequestDonate lawsuit was emitted for a worth of 100 cardinal tokens. This is the nonstop magnitude that Etherscan shows were burned, pushing the relationship into insolvency.

Euler’s RequestDonate lawsuit being emitted during the attack. Source: Ethereum blockchain data

In their March 15 analysis, SlowMist agreed with Omniscia astir the value of the donateToReserve function, stating:

“Failure to cheque whether the idiosyncratic was successful a authorities of liquidation aft donating funds to the reserve code resulted successful the nonstop triggering of the brushed liquidation mechanism.”

The attacker mightiness person besides been capable to transportation retired the onslaught adjacent if the donate relation had not existed. The Euler “EToken.sol” declaration codification connected GitHub contains a modular ERC-20 “transfer” function. This seems to connote that the attacker could person transferred their eTokens to different random idiosyncratic oregon to the null code alternatively of donating, pushing themselves into insolvency anyway.

Euler eToken declaration transportation function. Source: GitHub

However, the attacker did take to donate the funds alternatively than transportation them, suggesting the transportation would not person worked.

Cointelegraph has reached retired to Omniscia, SlowMist and the Euler squad for clarification connected whether the donateToReserves relation was indispensable to the attack. However, it has not received a effect by work time.

Related: Euler squad denies on-chain sleuth was a fishy successful hack case

The 2 firms agreed that different large vulnerability successful Euler was the steep discounts offered to liquidators. According to SlowMist, erstwhile a lending protocol has a “liquidation mechanics that dynamically updates discounts,” it “creates lucrative arbitrage opportunities for attackers to siphon disconnected a ample magnitude of collateral without the request for collateral oregon indebtedness repayment.” Omniscia made akin observations, stating:

“When the violator liquidates themselves, a percentage-based discount is applied [...] guaranteeing that they volition beryllium ‘above-water’ and incur lone the indebtedness that matches the collateral they volition acquire.”

How to forestall a aboriginal Euler attack

In its analysis, SlowMist advised developers connected however to forestall different Euler-style onslaught successful the future. It argued that lending protocols should not let users to pain assets if this volition origin them to make atrocious debt, and it claimed that developers should beryllium cautious erstwhile utilizing aggregate modules that whitethorn interact with each different successful unexpected ways:

“The SlowMist Security Team recommends that lending protocols incorporated indispensable wellness checks successful functions that impact idiosyncratic funds, portion besides considering the information risks that tin originate from combining antithetic modules. This volition let for the plan of unafraid economical and viable models that efficaciously mitigate specified attacks successful the future.”

A typical from DeFi developer Spool told Cointelegraph that technological hazard is an intrinsic diagnostic of the DeFi ecosystem. Although it can’t beryllium eliminated, it tin beryllium mitigated done models that decently complaint the risks of protocols.

According to Spool’s hazard absorption achromatic paper, it uses a “risk matrix” to find the riskiness of protocols. This matrix considers factors specified arsenic the protocol’s yearly percent output (APY), audits performed connected its contracts, clip since its deployment, full worth locked (TVL) and others to make a hazard rating. Users of Spool tin employment this matrix to diversify DeFi investments and bounds risks.

The typical told Cointelegraph that Spool’s matrix importantly reduced capitalist losses from the Euler incident.

“In this incident, the worst affected Smart Vaults, those designed by users to question higher (and riskier) yields, were lone affected for up to 35%. The lowest affected vault with vulnerability to Euler strategies (via Harvest oregon Idle), successful comparison, was lone affected by 6%. Some vaults had zero vulnerability and were frankincense not impacted,” they stated.

Spool continued, “While this is not ideal, it intelligibly demonstrates the quality of the Smart Vaults to supply tailored hazard models and to administer users’ funds among aggregate output sources.”

Cointelegraph got a akin reply from SwissBorg, different DeFi protocol that aims to assistance users bounds hazard done diversification. SwissBorg CEO Cyrus Fazel stated that the SwissBorg app has “different output strategies based connected risk/timeAPY.”

Some strategies are listed arsenic “1: halfway = low,” portion others are listed arsenic “2: adventurous = risky.” Because Euler was fixed a “2” rating, losses from the protocol were constricted to lone a tiny information of SwissBorg’s full worth locked, Fazel stated.

SwissBorg caput of engineering Nicolas Rémond clarified further that the squad employs blase criteria to find what protocols tin beryllium listed successful the SwissBorg app.

“We person a due-diligence process for each DeFi platforms earlier entering immoderate position. And then, erstwhile we’re there, we person cognition procedures,“ helium said, adding, ”The owed diligence is each astir TVL, team, audits, open-source code, TVL, oracle manipulation attack, etc. […] The cognition process is astir level monitoring, societal media monitoring and immoderate exigency measures. Some are inactive manual, but we’re investing to automatize everything based truthful that we tin beryllium highly reactive.”

In a March 13 Twitter thread, the SwissBorg squad stated that though the protocol had mislaid 2.2% of the funds from 1 excavation and 29.52% from another, each users would beryllium compensated by SwissBorg should the funds not beryllium recoverable from Euler.

The Euler onslaught was the worst DeFi exploit of Q1 2023. Thankfully, the attacker returned astir of the funds, and astir users should extremity up with nary losses erstwhile each is said and done. But the onslaught raises questions astir however developers and users tin bounds hazard arsenic the DeFi ecosystem continues to expand.

Some operation of developer diligence and capitalist diversification whitethorn beryllium the solution to the problem. But regardless, the Euler hack whitethorn proceed to beryllium discussed good into the future, if for nary different crushed than its sheer size and illustration of the risks of DeFi exploits.