Original author:Jaleel、0x22D，BlockBeats

Original author:

How did hackers attack Euler? Which agreements are currently affected? Which companies have audited for Euler? BlockBeats made a brief review.

first level title

Review of the attack process: a "violator" and a "liquidator"

Omniscia, one of Euler Finance's audit partners, published a post-mortem technical analysis report that analyzed the attack in great detail and pointed out that the exploited vulnerability stemmed from Euler not performing proper security checks on the donation address.

The exploit code was introduced in eIP-14, a protocol that introduced several changes throughout the Euler ecosystem. The flaw exists in the first change made by the EToken implementation ( EToken: donateToReserves feature ). The attacker then took advantage of the vulnerable code, allowing it to create unsecured token debt positions by donating funds to the protocol’s reserve, allowing the attacker to liquidate these accounts and profit from liquidation bonuses.

This security is not backed by a donation mechanism that allows users to create “bad debt” in the form of leverage by donating their EToken units uncollateralized without affecting their DToken balances.

image description

Image source from Arkham Intelligence

According to Arkham's investigation, the attackers used more than 20 different contract addresses to obtain various encrypted assets from Euler. For each asset, the hacker deployed two contracts: a "violator" and a "liquidator". "Violators" use the donation function to overturn Euler's logic, and "Liquidators" then clean up the leftovers.

The specific execution process of the hacker is as follows:

1) First, take a flash loan from Balancer / Aave v2, borrow 30 M DAI

2) Deploy two contracts: Violator and Liquidator. Deposited by the "violator", the "liquidator" is responsible for closing the position in the same transaction

3) Deposit 2/3 of the funds to Euler, send 20 M DAI to Euler and receive 19.5 M eDAI

4) Then borrow 10 times the deposit amount and receive 195.6 M eDAI and 200 M dDAI from Euler

5) Using the remaining 1/3 of the funds to pay off part of the debt, sent 10 M DAI and burned 10 M dDAI

6) Repeat step 4 to receive 195.6 M eDAI and 200 M dDAI from Euler

7) Donated 10x the repaid funds, donating 100 million eDAI to Euler

9) Then withdraw all token amounts from Euler, including the withdrawal of 38.9 M DAI 10) After repaying the flash loan, exchange USDC and WBTC for DAI and ETH

image description

Image source from Arkham Intelligence

The address marked "recipient" is the address of the contract used to execute the exploit (and subsequently receive the exploit funds). The vast majority of funds are sent to separate addresses labeled "holders." The address currently holds $192 million worth of cryptocurrency.

image description

Image source from Arkham Intelligence

According to PeckShield's monitoring, the Euler Finance attackers have transferred at least 100 Ethereum to Tornado Cash through the address starting with 0x c 66 d. At the same time, according to the analysis of the on-chain detective ZachXBT, this address attacked some The protocol on the BSC, the stolen funds are also deposited into Tornado Cash. As most would guess, the attacker is almost certainly a black hat.

first level title

What agreements are affected?

Aztec

The Euler attack has a wide range, affecting several DeFi protocols related to Euler, including:

The Euler Finance vulnerability affected Aztec Connect users who attempted to withdraw funds, and affected users are currently unable to withdraw funds. Aztec has no control over the integration with Euler, currently the Aztec Connect functionality is functional.

Yield

In addition, it is worth noting that Aztec announced that Aztec Connect is the world's first privacy Rollup, and its design has some problems, which increases maintenance costs. Considering the scale of the project and commercial factors, Aztec is about to close Connect, and all engineering resources will be devoted to building the L2 privacy protocol Noir, and the next version will support fully programmed smart contracts with default privacy.

Balancer

Yield Protocol has closed the main network lending related operations due to the Euler attack. Yield’s main network liquidity pool is established on Euler, and Euler has suspended the main network contract. Currently, Yield has removed the application and closed the loan entrance in the official website UI.

SwissBorg

In the Euler Finance attack, about 11.9 million USD was sent to Euler from the bbeUSD liquidity pool, accounting for 65% of the liquidity pool TVL, and bbeUSD was also deposited into other 4 liquidity pools: wstETH/bbeUSD, rETH/bbeUSD, TEMPLE/bbeUSD, DOLA/bbeUSD, all other Balancer liquidity pools are safe. Due to measures taken to protect remaining funds, UI currently does not support existing LPs exiting positions in these bbeUSD pools, but there is no risk of further loss of funds. bbeUSD pool users can use the UI to withdraw Token and bbeUSD proportionally, but cannot withdraw funds from bbeUSD until Euler restores the transferability of eTokens (such as eDAI/DAI).

SwissBorg deposited 6,357 Ethereum and 1.7 million USDT in Euler. After the attack, SwissBorg quickly lent 4,752 cbETH to reduce losses, but still stranded and lost about 1,617.23 ETH (or only 1,617.23 ETH) Plan to subscribe 2.27% of the total assets) and nearly 1.7 million USDT (accounting for 29.52% of the total assets subscribed to the plan).

Idle DAO

Fortunately, many preparations, including risk management procedures, have been made to prevent these scenarios many years ago, so the extent of the damage is minimal, according to SwissBorg. SwissBorg will bear all losses incurred in this event, and users will not suffer any losses as a result.

The DeFi agreement Idle Finance issued a document stating that after investigation, the exposure of the Euler Finance incident to the Yield Tranches strategy of the agreement involved about 5.35 million US dollars of stable coins and 320 ETHs, and the exposure of the Best Yield strategy involved 4.8 million US dollars of stable coins and 313 ETHs.

Angle

In addition, Idle Finance emphasized that the actual impact will depend on the actions taken by the Euler team and possible mitigation measures. The above figures are not actual retracements, but the actual figures locked in Euler. Idle Finance also stated that the Senior/Junior Best Yield DAI vault has transferred all funds to Aave last week due to USDC unpegged, so the vault (with a total TVL of $11.2 million) was not affected by the Euler incident and is now operating as expected and Earn money from Aave.

Angle Protocol, a decentralized stablecoin agreement, posted on social media: "Angle Protocol was affected by the Euler exploit, which deposited 17.6 million USDC into Euler. The agreement has been suspended, the debt ceiling has been set to 0, and Euler AMO has been released. Closed. Monitoring the situation and will update as soon as we receive it."

In addition, Angle Protocol stated that before the Euler hack, the Angle Core module TVL was about 36 million US dollars, and 17.2 million agEUR had been minted through the core module. Also included in the agreement are: approximately $11.6 million in deposits from standard liquidity providers; approximately $35,300 in deposits from hedging agents; and a surplus of approximately $5.58 million.

Yearn

Yearn, a DeFi revenue aggregator, stated that although it was not directly exposed to Euler's attack, some Yearn vaults were indirectly exposed to hacking attacks due to the use of Idle and Angle's strategies. Of this, exposure on yvUSDT and yvUSDC totals $1.38 million, and any remaining bad debts will be borne by the Yearn vaults, all of which will remain open and fully operational.

first level title

Six "malfeasant" audit firms

Certora

As soon as the incident came out, various public opinions expressed their distrust of blockchain security audit companies. Such a project with strong strength and the ability to find 6 security companies to conduct audits for itself can have loopholes that can lose hundreds of millions of dollars. The voices of "DeFi is over" and "audit is useless" echoed everywhere. However, did these 6 audit companies really ignore Euler's loopholes?

Certora is an Israel-based blockchain security company that provides security analysis tools and services for smart contracts. In May 2022, Certora raised $36 million in a Series B round led by Jump Crypto. Before raising $36 million, Certora had identified bugs for Aave, Compound, Balancer, and SushiSwap, most of which were discovered and fixed immediately before the code was deployed.

Certora audited Euler between September and October 2021. In its audit report, Certora pointed out that Euler's code contained 3 high-severity problems, 4 medium-severity problems, and 2 low-severity problems. Some means to evade reckoning.

Halborn

Since the code that caused the theft came from the new proposal eIP-14 introduced by Euler in July 2022, Certora is not responsible for this incident.

Halborn is a blockchain security company headquartered in Miami. In July 2022, Halborn announced the completion of a $90 million Series A financing led by Summit Partners and joined by Castle Island Ventures, Digital Colurncom Group and Brevan Howard. Halborn users include well-known projects such as Solana, Avalanche, and BAYC.

Solidified & ZK Labs

Since Halborn's audit of Euler took place between May and June 2021, before eIP-14 was introduced, Halborn is also not liable.

Pen Test Partners

Solidified and ZK Labs, two blockchain security companies, have provided audit services for projects such as OpenSea, Tether, and Cosmos respectively, and jointly audited Euler in May 2021, so they do not need to bear responsibility in this incident.

Omniscia

Pen Test Partners is a cybersecurity firm that goes beyond the blockchain space. In June 2022, Pen Test Partners audited the security of Euler DApp, and gave in the audit report that "the App can resist attacks very well, and the risk to Euler infrastructure and user data is low." conclusion. Pen Test Partners are also not liable.

Omniscia is a decentralized team of experienced smart contract auditors and developers with deep expertise in building and securing complex decentralized networks and applications. Audit services include Polygon, Ava Labs etc. 240 projects and companies.

SHERLOCK

Omniscia conducted three audits on Euler in March, June, and September 2022, respectively, focusing on Merkle pledge mining security, Chainlink-related functional security, and Swap Hub security. Although the last audit took place 2 months after eIP-14 was proposed, since eIP-14 was not included in the 3 audits, Omniscia made no major mistakes.

SHERLOCK is a smart contract insurance service and audit platform that provides a total of $10 million in on-chain vulnerability insurance and reward bounties for clients such as Opyn, Euler, Lyra, Tempus, LiquiFi, and Hook.

SHERLOCK has performed a total of 3 audits for Euler. First completed by auditor Chris Michel in December 2021 and then updated by auditor shw 9453 in January 2022. And the last audit was completed by auditor WatchPug in July 2022, the audit of eIP-14 that triggered the attack.

SHERLOCK expressed its willingness to take responsibility and initiated a compensation plan of 4.5 million US dollars. It has paid 3.3 million US dollars in compensation, but this is too little compared with the loss of 200 million US dollars.

first level title

Web3 needs new auditing mechanisms

Although the last review of the function that introduced the vulnerability was audited by SHERLOCK, it has no direct relationship with the other five auditing companies. But in the face of such an all-star VC investment, many well-known defi agreements as upstream fund providers were hacked nearly 200 million US dollars in a short period of time, and the funds involved were so huge. Many community members said that Euler's this time The attack has dealt a considerable psychological blow to Defi.

Compared with the voice of "audit is useless", this incident actually highlights the importance of blockchain security audit and the limitations of the current audit process. Auditor's human error, unclear scope of audit and audit of new proposals are the main factors affecting audit effectiveness at present. SHERLOCK, which is mainly responsible for this incident, has actually recognized these problems.

SHERLOCK said in August 2022 that spending a lot of money to let a few people check your code for 4 months is tantamount to being cheated, don't be fooled again, Don't be fooled again. SHERLOCK introduces the form of capture-the-flag competition in the traditional security field, uses USDC as a reward, and starts a loophole-finding competition on a single project basis, so as to take advantage of the power of a wider community of hundreds of people.