Introduction

Euler Finance was exploited leading to a loss of approximately $197 million. The malicious flash loans exploited a vulnerability in Euler’s donateToReserves() function which was present within five separate pools. This exploit is by far the largest incident in terms of funds lost and makes up approximately 70% of all the funds lost in 2023.

Event Summary

On 13 March 2023, CertiK Skynet monitors alerted the incident response team to a suspicious flash loan against Euler Finance. The initial transaction was identified as one attack among many that led to a loss of approximately $197 million.

With assets borrowed from a flash loan, the attacker first created a highly leveraged insolvent position through the unique mint() function of the Euler lending protocol, as well as the vulnerable donateToReserves() function in Euler’s pool contracts. The attacker then liquidated their position in the same transaction to gain a large amount of derivative eTokens before draining the pool through withdrawals. The attacker repeatedly called attack transactions on multiple Euler pools resulting in a loss of $197 million.

The attack was conducted primarily by EOA 0xB2698 (Euler Finance Exploiter 1) who exploited five Euler Finance pools. The funds from these attacks are currently split between Euler Finance Exploiter 1 and 0xb66cd (Euler Finance Exploiter 2). The attack stole the following assets Euler Finance’s pools:

• 8,877,507 DAI
• 8,080 WETH
• 846.4 WBTC
• 73,821 stETH
• 34,224,863 USDC

The funds were then swapped for ETH and DAI with the exploiter being in control of 96,732.66 ETH and approximately 43 million DAI. The vast majority of funds are currently within the two Euler Finance Exploiter wallets with the exception of 101 ETH that was transferred to EOA 0xc66dF (Euler Finance Exploiter 3) from Euler Finance Exploiter 2. From there, Euler Finance Exploiter 3 deposits 100 ETH into Tornado Cash.

Image. 100 ETH deposited into Tornado Cash. Source: Etherscan

A third EOA (0x5F259) claimed via an on-chain message that their MEV bot had accidentally front-ran the attackers first transaction, which gave them 8.8 million DAI. They also stated the MEV attempted to front run the attackers second transaction but was unsuccessful. The 8.8 million DAI was transferred to Euler Finance Exploiter 2 since the attempted front-running transaction copied the exploiters contract which had Euler Finance Exploiter 2’s wallet hardcoded within the withdraw() function.

Image. Withdraw function in contract 0xeBC29. Source: Etherscan

Whilst this may have seemed like a noble attempt, EOA 0x5F259 has been involved in suspicious activity prior to this incident. EOA 0x5F259 was initially funded by 0xBcAa6 with approximately 4.22 ETH on 12 February. When looking at the activity of 0xBcAa6 on the Binance Smart Chain we see that the wallet received approximately 349,399 USDT from a token with a deflationary vulnerability that has been wildly spread on social media. EOA 0xBcAa6 transferred the funds to EOA 0xb1546 who bridged the USDT to Ethereum where it was swapped for ETH and deposited into Tornado Cash.

Image: Funds from deflationary token exploit deposited into Tornado Cash. Source: Etherscan

Therefore, the attempted front running of the Euler Finance Exploiter wallets was unlikely an example of a white hat attempting to secure vulnerable funds due to the wallets association with a black hat incident.

Analysis of The Attack Transactions

The attacker exploited 5 Euler Finance pools.

• Victim(eDAI): https://etherscan.io/address/0xe025e3ca2be02316033184551d4d3aa22024d9dc
• Victim (eWETH): https://etherscan.io/address/0x1b808f49add4b8c6b5117d9681cf7312fcf0dc1d
• Victim (eWBTC): https://etherscan.io/token/0x0275b156cd77c5ed82d44bcc5f9e93eecff20138
• Victim (ewstETH) https://etherscan.io/token/0xbd1bd5c956684f7eb79da40f582cbe1373a1d593
• Victim(eUSDC): https://etherscan.io/address/0xeb91861f8a4e1c12333f42dce8fb0ecdc28da716

Using transaction 0xc310 as example:

1. The attacker executes a flash loan for 30 million DAI from AAVE.
2. They then call executeOperation() in attack contract:

i) A malicious contract was deployed and 30 million DAI was transferred into the contract. ii) 20 million DAI was deposited and the attacker received 20 million eDAI collateral.

Note: Before the attacker called the deposit() function the DAI balance on Euler was 8,904,507 DAI.

iii) The contract Calls eDAI.mint() function. The mint() function is a unique Euler feature to recursively borrow and deposit which is a faster way to create a lending loop for the same asset.

Euler includes the following description of the mint function: Image: Euler Finance White paper Source: Euler Finance

Euler Protocol utilizes dToken & eToken :

d Token stands for debt Token e Token Collateral Token).

When the mint() function was called 0x583creceived 200 million dDAI, a 10x leverage of the 20 million DAI deposit, and 195.6 million eDAI.

iv) The attacker had flash loaned 30 million DAI, of which 20 million DAI was deposited to Euler, leaving 10 million DAI remaining from the AAVE flashloan. The attacker called the repay() function to repay the remaining 10 million DAI to Euler in the eDAI pools. This subsequently burned 10 million dDAI from contract 0x583c.

They then called mint() again to create another 200 million in dDai debt while also receiving 195.6 million eDAI in the attack contract (0x583c).

v) The attacker now calls donateToReserves(), the vulnerable function introduced in July 2022, and transferred 100 million eDAI to Euler which is 10 times the amount repaid.

However, there is no proper check on the collateralization status of this action. A normal transfer of eToken would call ‘checkLiquidity()’, which is missing from the updated donateToReserves() function as eToken.transferFrom() is not called. After the liquidator’s risk-adjusted liabilities exceed the value of their risk-adjusted collateral. The attacker had intentionally created a leveraged and insolvent position where they would be liquidated.

vi) The attacker can now liquidate() the violator which is an address that doesn't have a healthy debt level. The liquidator is a contract (0xA0b3e) owned by the attacker and the violator is the attackers pervious contract (0x583c).

The liability value is >248,751,315 which gives a full discount boost of ​​1,000,000,000,000,000,000 (1e18). This equates to a 20% discount as labelled in Euler documents.

As both underlying and collateral assets are DAI, the repay amount is set to the maximum amount.

That then capped the total currently owed at 390,000,000 (390 million) dDAI.

After fees and discounts the repay/debt transfer value totals > 259,319,058 (259.3 million).

An additional >5,084,687 (5 million) extra debt was minted during the liquidation procedure.

The total transferred debt is much lower than the approximately 310,930,612 (310 million) collateral eTokens that were claimed. The liquidator gained almost 45 million worth of derivative tokens, more than enough to drain the remaining 38.9 million DAI in the protocol.

The liquidator withdrew some of the claimed collateral eDai for all the remaining 38.9 million DAI in the protocol and then the attacker repaid the flash loan.

Conclusion

The exploit on Euler Finance is by far the largest exploit of 2023 and accounts for approximately 70% of all funds lost this year. Furthermore, this is the largest flash loan exploit seen in over 14 months, with the only other incident that comes close being Beanstalk Finance who suffered an exploit in April 2022 amounting to a $182.2 million loss. It’s unusual to see such large amount of funds lost to a flash loan during a bear market. The average loss per attack in 2022 was approximately $3 million and so far in 2023 is approximately $400,000.

This incident is a sobering reminder that no matter the market conditions, projects and protocols are responsible for a large sum of investor funds and need to prioritize security. CertiK audits take a detailed look at a projects code to spot any bugs that can have devastating consequences. However, if a project is attacked, CertiK’s incident response services can assist projects in navigating reporting to law enforcement and negotiate with the exploiter amongst others. Visit certik.com to view our auditing and incident response services.