Decentralized lending (DeFi) protocol Euler Finance fell victim to a loan lightning attack on March 13, resulting in the biggest crypto hack of 2023 to date. The credit protocol lost nearly $197 million in the attack and over 11 other DeFi protocols were also affected.
On March 14, Euler came out with an update on the situation and notified users that they had disabled the vulnerable etoken module to block vulnerable deposits and donation functions.
The company said it worked with various security groups to conduct audits of the protocol, and that vulnerable code was reviewed and approved during external audits. The vulnerability was not discovered as part of the audit.
One of our audit partners, @Omniscia_sec, prepared a technical post-mortem and analyzed the attack in detail. You can read the report here: https://t.co/u4Z2xdutwe
In short, attackers exploit vulnerable code that allows them to create unsupported token loans… https://t.co/FGnPqvYUGB
— Euler Labs (@eulerfinance) March 14, 2023
The vulnerability remained in place for eight months until it was exploited, despite a $1 million bug bounty.
Sherlock, an audit group that has been working with Euler Finance for months, verified the root cause of the exploit and helped Euler submit a statement. The audit protocol then selected a claim for $4.5 million, which passed, and then paid $3.3 million on March 14.
In the analysis report, the audit group noted an important factor for exploitation: missing health checks in “donateToReserves,” a new function added to EIP-14. However, the protocol confirms that such an attack is still technically possible even before EIP-14.
Related: More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm
Sherlock noted that Euler’s audit by WatchPug in July 2022 missed a critical vulnerability that ultimately led to the March 2023 exploit.
In addition, Sherlock stands behind every auditor who examines Euler.
Sherlock initially worked together @cmichelio to audit the first version of Euler in Dec 2021, then with @shw9453 for a very small update audit in Jan 2022, and finally with @WatchPug_ for the EIP-14 audit in July 2022.
— SHERLOCK (@sherlockdefi) March 13, 2023
Euler has also reached out to on-chain analytics companies and blockchain security companies, such as TRM Labs, Chainalysis and the broader ETH security community, in an effort to help investigate and recover funds.
Euler said he is also trying to contact those responsible for the attack to find out more about the problem and possibly negotiate a reward for the return of the stolen funds.