An in-depth analysis of the $195 million Euler Finance hack

On March 13, 2023, Euler Finance's fund pool was attacked by a flash loan, and the estimated total loss is about 195 million US dollars. This figure is also more than double the total asset losses from all other security incidents in the Web3 space so far in 2023.

According to Euler Finance’s description of itself, the platform is “a non-custodial protocol on Ethereum that allows users to lend and borrow virtually any cryptocurrency asset.”

The main reason for this attack is that there is a vulnerability in `donateToReserve` in the Euler Pool contract. Since this function lacks a check on the caller's position health, users can voluntarily give up part of their leveraged deposits to unbalance their own positions, and then use Euler's characteristic liquidation rules to liquidate their own positions to make a profit.

Using assets borrowed from flash loans, the attacker first created a highly leveraged and insolvent situation through the unique `mint' function in the Euler lending protocol and the vulnerable 'donateToReserves' function in the Euler fund pool contract. Subsequently, the attacker liquidated the insolvent positions created by himself as a liquidator in the same transaction to obtain a large number of derivative eTokens for "free". Finally, the fund pool is exhausted by withdrawal, and the attack is repeatedly carried out on multiple Euler Pools to exhaust all fund pools.

attack process

attack process

① The attacker flash loaned 30 million DAI from AAVE.

②The attacker deposits 20 million DAI to Euler through the eDAI contract and receives 20 million eDAI. Before the attacker deposited 20 million DAI, the DAI balance in the Euler pool was 8.9 million.

③Call `eDAI.mint()`. This particular `mint` feature is unique to Eule Financer and allows users to borrow and repay repeatedly. This is a method of creating a borrowing cycle, the result of which is a leveraged borrowing position.

④ After calling `mint`, 200 million dDAI and 195.6 million eDAI were received. (Note: dTokens represent debt tokens, eTokens represent mortgage equity).

, repay the 10 million DAI in the eDAI pool to Euler, which destroys the 10 million dDAI. then call again"repay", repay the 10 million DAI in the eDAI pool to Euler, which destroys the 10 million dDAI. then call again"mint", creating another borrowing position in the form of 200 million dDAI and 195.6 million eDAI for the attack contract. At this time, the attacker's position is: 390 million dDAI and 400 million eDAI.

⑥ Call `donateToReserves` (the vulnerable function was introduced in July 2022) to transfer 100 million eDAI to Euler. Due to the absence of proper checks on the collateral status of this act,"donate"The latter attacker became"Offenders"(addresses with unhealthy debt levels), whose risk-adjusted liabilities far exceed the value of their collateral, so they can be liquidated. At this time, the attacker's position is: 390 million dDAI and 300 million eDAI.

⑦The liquidator contract deployed by the attacker begins to liquidate the "violators". A special feature of Euler Finance's liquidation logic is that when the liquidated person's loan position is extremely unhealthy, the liquidator can obtain a "discount" of up to 20% in the process.

⑧Through liquidation, the liquidator obtained a "debt" of 259 million dDAI and an "asset" of 3.1 eDAI. The total amount of debt transferred in liquidation is much lower than the assets. The liquidators obtained nearly 45 million worth of eDAI assets.

⑨The liquidator took away all the collateral of 38.9 million DAI from the agreement through the obtained eDAI, and then repaid the flash loan, making a profit of 8 million US dollars.

The attacker currently holds $13.5 million worth of ETH at address one, $148 million in ETH and 43 million DAI at address two.

Address one:

https://etherscan.io/address/0x B 2698 C 2D 99 aD 2c 302 a 95 A 8 DB 26 B 08 D 17 a 77 cedd 4 

Address two:

https://etherscan.io/address/0x b 66 cd 966670 d 96 2C 227 B 3 EABA 30 a 87 2D bFb 995 db

Miraculously, the first attack transaction was inadvertently intercepted by MEV bots. The bot earned $8.79 million in DAI. It is a pity that the withdrawal address is written to death in the attacker's contract, and the MEV robot can only send the intercepted funds to the attacker's address in the process of trying to return the funds.

The second through fifth attacks netted hackers $177 million worth of assets.

write at the end

write at the end

Currently, the event is the largest hack in the Web3 space in 2023. Euler Finance acknowledged the authenticity of the incident in a tweet and said they are currently cooperating with security experts and law enforcement.

The overall security level and awareness of the Euler Finance team is at a relatively high level in the industry, and it has also cooperated with many security companies. The project has been audited and is also supported by the bug bounty program, but the project has not escaped the claws of hackers.

Therefore, CertiK security experts remind again that newly added functions must also be audited. The above-mentioned contract vulnerability was introduced by https://forum.euler.finance/t/eip-14-contract-upgrades/305, which caused such serious consequences.

Therefore, the audit is not once and for all. When adding new functions to the contract, it is necessary to re-audit the newly added functions. Otherwise, even if the "thousand miles of land" has been audited, it may collapse in an unaudited "ant's nest".