Ethereum-based non-custodial lending protocol Eurler finance faced flash loan attack on March 13, attackers managed to steal millions of Dai, USDC, Collateralized Ether (StETH) and Wrapped Bitcoin (WBTC).
Based on the latest update, the attackers made multiple transactions and stole nearly $196 million, according to on-chain data. The ongoing attack has become the biggest hack of 2023. According to cryptocurrency analysis firm Meta Seluth, the attack is related to the deflation attack a month ago. Attackers used a multi-chain bridge to move funds from the BNB Smart Chain (BSC) to Ethereum and launched their attack today.
Another well-known on-chain sleuth, ZachXBT, reiterated the same sentiment, saying that the flow of funds and the nature of the attack appeared to be very similar to the black hat hackers who exploited the BSC-based protocol last month. After utilizing the protocol on BSC, the funds are deposited into the encrypted mixer Tornado Cash.
The stolen funds are currently located at the following hacker addresses:
- 0xebc29199c817dc47ba12e3f86102564d640cbf99 (contract) - 8,877,507.34 DAI
- 0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4 - 8,080.97 ETH
- 0xb66cd966670d962c227b3eaba30a872dbfb995db - 88,752.69 ETH & 34,186,225.91 DAI
Euler Finance acknowledged the breach and said they are currently working with security professionals and law enforcement to resolve the issue.
A detailed analysis of the attack by blockchain security company SlowMist Technology showed that the attacker used flash loans to deposit funds, and then secondary leverage triggered liquidation. The exploiter donates the funds to the reserved address and self-liquidates to collect any remaining assets.
Two factors contributed to the success of the exploit. First, funds are donated to reserved addresses without liquidity checks, triggering soft liquidation. Second, high leverage triggers soft liquidation logic, allowing the liquidator to obtain most of the mortgage funds from the accounts of the liquidated users by transferring only a part of the liabilities to themselves.
Gustavo Gonzalez, a solutions developer at blockchain security firm OpenZeppelin, told Cointelegraph that this all happened in a single transaction (once per pool) using AAVE’s flash loans. He explained: "There appears to be a bug in one of the Euler smart contracts, which does not check the health factor when executing the donateToReservers() function. As a result, the attacker is able to liquidate himself from the protocol, repay the flash loan and make a huge profit." Euler Finance raised $32 million in a funding round last year that included FTX, Coinbase, Jump, Jane Street and Uniswap.
Euler Finance is popular for providing liquid collateralized derivatives (LSD) services. LSD is a relatively new token type that enables stakers to increase potential returns by unlocking liquidity in staked cryptocurrencies such as Ether. Currently, LSD accounts for 20% of the total value locked in decentralized finance protocols.
