Euler Finance's Flash-Loan Attack: A $197 Million Loss
Euler Finance has fallen prey to a massive flash-loan attack resulting in the loss of $197 million worth of tokens, although it looks like a typical financial attack, it is a distinct code issue in the smart contract.
The exploit, explained and analyzed by the spherex team involves:
- Synthetically creating a large under-collateralized position (with the flawed function)
- Gaining profit from the liquidation fee by liquidating the created position
- Executing both position opening and liquidation atomically with a contract using a flash-loan
Euler Finance is a permissionless lending protocol that helps users earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party.
It boasts several groundbreaking features in the DeFi world like reactive interest rates, MEV-resistant liquidations, and multi-collateral stability pools. Additionally and more relevant for this analysis, Euler Finance’s liquidating fee changes based on how underwater the position is, making it a smart incentive mechanism.
Euler Finance's Features and the Attack Flow
First appeared the official statement, and then the explanations race started:
The attack flow, as described by the Peckshield team:
The exploit is related to the donateToReserves() function:
After leveraging the first deposit (twice), the hackers donated some of theirs eDAI tokens without the health of theirs position being checked in the process. this created a massive underwater position for them to liquidate and gain massive fees, based on the changed by “bad debt” liquidation fee discussed earlier.
The Flawed Function and Its Consequences
Ironically as quoted from the white paper:
Additionally, this fee ensures that ‘self-liquidating’ is always net-negative, which adds a profitability threshold that some undesirable manipulation strategies are unlikely to meet.
One of the findings we had is the flawed function donateToReserves(), which was introduced to the protocol on July 2022 after being proposed and approved by the governance in the following eip. This functionality was barely used since then (only three times) and all the calls were made by EOAs related to Euler finance (initial funding) - 0xa91d55…6fc93a and 0xb1ae68…ba25a7
Conclusion
The exploit’s sophisticated nature once again highlights the critical importance of robust security practices for blockchain projects. It is evident that relying solely on traditional security measures such as audits or monitoring (even real time monitoring), is not enough to ensure blockchain projects’ security. The vulnerability, lying in an audited code, went undetected for months, and alerting the suspicious activity after the funds already faded was too late. There’s definitely a missing brick in the current stack of smart contract security solutions.
PS
An interesting MEV anecdote — a bot accidentally frontrunned the first exploit transaction and transferred the funds to the hacker contract (check this).
About the author
Ido has over 6 years of software development and cybersecurity research experience. Before joining SphereX, Ido was an officer in an IDF's intelligence unit.