Decentralized finance (DeFi) lending protocol Euler Finance became the victim of a lightning lending attack on March 13, resulting in the largest crypto hack in 2023 so far. The lending protocol lost almost $197 million in the attack, and it also affected more than 11 other DeFi protocols.
On March 14, Euler posted an update on the situation and notified its users that they had disabled the vulnerable etoken module to block deposits and the vulnerable donation feature.
The firm said they work with various security groups to conduct audits of their protocol, and the vulnerable code was reviewed and approved during an external audit. The vulnerability was not discovered as part of the audit.
One of our audit partners, @Omniscia_sec, prepared a technical autopsy and analyzed the attack in great detail. You can read his report here: https://t.co/u4Z2xdutwe
In short, the attacker exploited vulnerable code that allowed him to create an unbacked token debt… https://t.co/FGnPqvYUGB
— Euler Laboratories (@eulerfinance) March 14, 2023
The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler file a claim. The audit protocol then voted on the $4.5 million claim, which was approved, and then executed a $3.3 million payment on March 14.
In their analysis report, the audit group noted an important factor for the exploit: a missing status check in “donateToReserves”, a new function added in EIP-14. However, the protocol emphasized that the attack was still technically possible even before EIP-14.
Related: More than 280 blockchains at risk of ‘zero-day’ exploits, security firm warns
Sherlock noted that WatchPug’s July 2022 audit of Euler did not detect the critical vulnerability that ultimately led to the March 2023 exploit.
Similarly, Sherlock endorses all the auditors who reviewed Euler.
Sherlock initially worked with @cmichelio to audit the first version of Euler in December 2021, then with @shw9453 to audit a very small update in January 2022, and finally with @ClockPug_ to audit EIP-14 in July 2022.
— SHERLOCK (@sherlockdefi) March 13, 2023
Euler has also reached out to major blockchain security and on-chain analytics firms, such as TRM Labs, Chainalysis, and the ETH security community at large, in an attempt to help them with the investigation and recover the funds.
Euler notified that they are also trying to contact those responsible for the attack to obtain more information on the matter and possibly negotiate a reward to recover the stolen funds.