Ethereum-based DeFi lending protocol Euler Finance was hacked, which resulted in the theft of an estimated $197M. As a result of the exploit, the platform’s native EUL token fell 52,69% in the last 24 hours, from $6.489 to $3.07.
Meanwhile, users began to actively move their funds, increasing trading volume by 880%. How the token is doing now, as well as what EUL holders should do, we will explain below.
Euler is a permissionless protocol by which users can earn interest on their savings or hedge against volatile markets without the need to involve intermediaries.
According to security analysts from Chainsight, attackers stole about $198M in a “flash loan” a type of loan where a user borrows assets with no upfront collateral and returns the money within the same blockchain transaction.
It is assumed that the hackers stole several assets at once, namely:
- $136M of stETH is.
- $34M of USDC.
- $19M of WBTC wrapped Bitcoin, which has been converted for use on the Ethereum network.
- $8.7M of DAI stablecoin.
Flash loans are usually safe for lenders if precautions are taken. In particular, a repayment agreement must be in place, otherwise, the original loan will never be granted. In addition, to eliminate all possible risks, smart contracts must cover all transaction details.
Otherwise, a hacker could abuse the security of the smart contract. In such a scenario, the fraudster usually borrows a lot of funds that do not require collateral, manipulates the price of the stolen asset on one exchange, and quickly resells the token on another.
Everything happens so quickly that, sometimes, the attacker manages to pull off the same scam several times before disappearing without leaving a trace.
In the case of EUL, unknown persons used a vulnerability to attack the protocol. According to BullaBear $PI$ trader, the scammers borrowed $30M DAI and used it to enter into two contracts. One of the contracts carried $20M DAI in Euler Finance and created fake debt of $200M DAI.
“They then donated $100M DAI to the reserve which caused a problem with the collateral. Another contract was used to take advantage of this and liquidate the position, resulting in the attacker keeping around $8,8M DAI after fees,” the expert explains.
According to Cyvers analysts, who detected the exploit at 8:50 a.m. UTC, attackers made six transactions. They managed to deploy the malicious contract just 24 seconds before the transactions began.
This one was detected by our malicious contract AI model 24 seconds before the first interaction with @eulerfinance $EUL pic.twitter.com/cuIfQtAJJ0
— Cyvers (@Cyvers_) March 13, 2023
In this regard, experts urge users to look for updates on the situation and to exercise caution when working with the token.
EUL’s current price
As a result of the attack, Euler Finance’s native token has fallen by more than 50% in 24 hours and is trading at $2.8 at the time of writing.
- Price $3.68
- Market Cap
In addition, because of the exploit, coin holders began to actively move their funds to avoid losing them. Thus, the daily trading volume of EUL increased by 880% at its peak on March 13. According to Coingecko, the largest token trading volume was recorded on the Huobi exchange. Thus, on the platform, EUL paired with USDT traded for $5.7M.
Nevertheless, the value of the asset continues to fall, and the token entered the top 10 cryptocurrencies in one day.
#WORST 10 #CRYPTO %24h
$ANGLE ANGLE -52.78
$EUL Euler -48.85
$MFI MetFi -34.85
$LEGO LegoCoin -28.41
$PART Particl -26.56
$XTN Neutrino -23.16
$BWO BattleWo -21.05
$ZILLIONXO ZillionA -20.29
$STBU Stobox -20.22
$BTCS BitcoinP -19.86
— GetStocks (@GetStocks) March 14, 2023
Euler Finance’s comment
Representatives of the company confirmed the attack and released a post explaining what was happening. In particular, it was stated that everything is being done to recover funds for Euler Finance users. Here’s what has been done to offset what happened:
- Stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function.
- Engaged TRM Labs, Chainalysis, and the broader ETH security community to help with the investigation and work to recover funds.
- Notified and shared info with US and UK law enforcement.
The report also says that Euler Finance is working with various security groups to audit the protocol, but that didn’t stop the hacker from taking advantage of the vulnerability.
“While the vulnerable code was reviewed and approved during and outside audit, the [vulnerability] was not discovered as part of the audit. The [vulnerability] remained on-chain for eight months until [it] was exploited today, despite [a] $1M bug bounty being in place during that time,” says the report.
The company also added that it is devastated by the effect of this attack and will continue to work with security partners, law enforcement, and the broader community to resolve the problem.
One of our auditing partners, @Omniscia_sec, prepared a technical post-mortem and analysed the attack in great detail. You can read their report here:https://t.co/u4Z2xdutwe
In short, the attacker exploited vulnerable code which allowed it to create an unbacked token debt… https://t.co/FGnPqvYUGB
— Euler Labs (@eulerfinance) March 14, 2023
While the company is busy dealing with the situation, users whose funds have not yet been affected should take care of their savings. As for the price, it will most likely continue to fall. This can be assumed because of the upcoming unlocking of EUL tokens. According to Token.Unlock, the event will take place as early as tomorrow, March 15.
The project team plans to unlock 0,396% of the total number of tokens, or 107,723 EUL ($309,165 at current exchange rates). In total, Euler Finance has already unlocked 57% of the tokens, but the maximum number is not shown.
As we reported earlier, usually after unlocking, the value of the asset falls. This is explained by the increasing supply of tokens in the market. That is, the lower the supply, the higher the demand, and the price goes up. After unlocking, the opposite effect occurs.
This week’s Cliff unlock over $300M
Highlight Unlocks are $APE & $BIT $APE 4.1% – $178 M ()$BIT 1.9% – $101 M ()$DYDX 0.7% – $16 M$EUL 0.4% – $0.3 M$GAL 0.1% – $0.3 M
Check it out : https://t.co/4tCmkftQ3F pic.twitter.com/TWCMyOFENf
— Token Unlocks (@Token_Unlocks) March 14, 2023
Whether the project will cope with the current problems is still unclear, so it is not worth excluding both probabilities. However, even if Euler Finance can recover, users may not trust the network as much as before.
What do you think about this? Which of the options voiced is most likely?