Before the $196 million attack, ethereum-based lending protocol Euler Finance conducted ten independent audits over two years and deemed it "no higher than low risk" and had "no open issues."
In a series of tweets on March 17, Euler Labs CEO Michael Bentley described the "hardest days" of his life after Euler was hit with a $196 million flash loan attack on March 13 . He retweeted a message shared by a user saying Euler had been audited 10 times by 6 different companies, and commented that the platform "has always been a security-focused project."
Between May 2021 and September 2022, blockchain security firms including Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica conducted smart contract audits of Euler Finance. Halborn ranks its risk assessments by measuring the "likelihood of a security incident" and its likely impact, ranging from very low to informational to critical. Euler received "nothing higher than low risk".
It revealed in its December 2022 Halborn audit summary that it had found "generally satisfactory results". Halborn "examined and analyzed" 23 smart contracts over the course of a month, finding only "two low-risk and three informational" risks, the summary said.
Euler said it had reviewed Halborn's reporting and concluded the risks "do not pose a significant threat." Blockchain security firm Omnisica addressed some "incorrect paradigms" in Euler's underlying exchange implementation, and how the exchange mode is "handled by the code base." However, Euler has "adequately addressed" the issues and "has no outstanding issues," the report said. On March 16, just hours after Euler offered a $1 million bounty for information leading to the hacker’s arrest, the protocol’s hackers began moving funds through the crypto mixer Tornado Cash.
In his most recent Twitter post, Bentley said he would never "forgive the attacker" because he was forced to "sacrifice time" with his newborn son as a result of the attack, but thanked that he was "looking for leads" to investigate security experts.
Just 24 hours before the bounty was released, Euler issued a warning that if 90% of the funds were not returned within 24 hours, it would launch a bounty that would “get you arrested and return all funds.”
