The March 13 flash loan attack on Euler has gone viral, causing 11 different decentralized finance (DeFi) protocols to freeze or lose funds, according to their respective reports on Twitter. Balancer, an Ethereum protocol with a total value locked (TVL) of over $1 billion, was one of the affected protocols. Here's an overview of the main vulnerabilities and what we know so far.
Balancer reported on March 13 that the Euler Boosted USD (bb-e-USD) mining pool had been affected by the bug. Around $11.9 million worth of tokens from the pool were sent to Euler during the exploit. The Balancer emergency subDAO reacted by pausing the pool and putting it in recovery mode. However, at the time of the pause, over 65% of the pool TVL had been lost. Liquidity providers were unable to retrieve funds remaining in the pool due to a bug in the application user interface (UI). However, Balancer said that "in the near future" a new user interface will be available that will allow withdrawal of remaining funds. Balancer clarified that no other mining pools were affected.
Angle Protocol has released a preliminary report on its attack. It may have lost more than $17 million worth of USDC.This could lead to under collateralization of the euro-pegged agEUR stablecoin. The team is still investigating and trying to prepare a detailed balance sheet. All minting and redemption of agEUR is currently suspended, but borrowers can still repay the agreement debt normally, the team said.
Idle Finance provides a detailed list of losses due to the Euler vulnerability. It appears to have lost about $5.9 million worth of tokens in total, according to Ether on March 13 and euro prices. The team has suspended all Best Yield Vaults and Yield Tranches related to Euler to prevent further losses.
Yield Protocol is another protocol affected by the vulnerability. According to the team’s announcement about the attack, its “mainnet liquidity pool is built on top of Euler.” The company has disabled the mainnet application, suspended lending and is investigating the attack. Its mainnet liquidity pool appears to have been affected, with losses likely to be “less than $1.5 million.”
InverseFinance reported that it too was hit, with its DOLA Fed losing more than $860,000 in DOLA-bb-e-USD on Balancer. The team said it is communicating with Balancer to try to return these funds to depositors. SwissBorg reported that “a small portion of [its] Smart Yield program was affected”. However, "due to our risk management procedures, the extent of the loss is minimal." The team said it will compensate all losses of its funds and its users "will not suffer any loss as a result of this incident."
In a Telegram conversation with Cointelegraph, SwissBorg founder Cyrus Fazel clarified that the protocol ranks yielding strategies based on risk, time, and APY. Since Euler is rated Risk 2- Adventurous, SwissBorg users have "limited" investment in Euler. This mitigates the loss of the protocol, he explained. Opyn, Mean, Sense and Harvest also reported that they may have been affected by the bug, but none provided details on how much was lost. This brings the total number of affected agreements to 11, with a cumulative loss of $37.6 million.
Euler Finance is a cryptocurrency lending protocol running on Ethereum. Its popularity is partly due to its support for using liquid collateralized derivatives (LSDs) such as Coinbase Staked ETH (cbETH) or Lido Staked ETH (stETH) as loan collateral. On March 8, Euler locked up over $311 million in cryptocurrency in its smart contracts. Since the exploit, its TVL has dropped to $10.37 million.
