Back to all stories
Reports
Incident Analysis
Euler Finance Incident Analysis
3/13/2023
Euler Finance Incident Analysis

Introduction

Euler Finance was exploited leading to a loss of approximately $197 million. The malicious flash loans exploited a vulnerability in Euler’s donateToReserves() function which was present within five separate pools. This exploit is by far the largest incident in terms of funds lost and makes up approximately 70% of all the funds lost in 2023.

Event Summary

On 13 March 2023, CertiK Skynet monitors alerted the incident response team to a suspicious flash loan against Euler Finance. The initial transaction was identified as one attack among many that led to a loss of approximately $197 million.

With assets borrowed from a flash loan, the attacker first created a highly leveraged insolvent position through the unique mint() function of the Euler lending protocol, as well as the vulnerable donateToReserves() function in Euler’s pool contracts. The attacker then liquidated their position in the same transaction to gain a large amount of derivative eTokens before draining the pool through withdrawals. The attacker repeatedly called attack transactions on multiple Euler pools resulting in a loss of $197 million.

The attack was conducted primarily by EOA 0xB2698 (Euler Finance Exploiter 1) who exploited five Euler Finance pools. The funds from these attacks are currently split between Euler Finance Exploiter 1 and 0xb66cd (Euler Finance Exploiter 2). The attack stole the following assets Euler Finance’s pools:

  • 8,877,507 DAI
  • 8,080 WETH
  • 846.4 WBTC
  • 73,821 stETH
  • 34,224,863 USDC

The funds were then swapped for ETH and DAI with the exploiter being in control of 96,732.66 ETH and approximately 43 million DAI. The vast majority of funds are currently within the two Euler Finance Exploiter wallets with the exception of 101 ETH that was transferred to EOA 0xc66dF (Euler Finance Exploiter 3) from Euler Finance Exploiter 2. From there, Euler Finance Exploiter 3 deposits 100 ETH into Tornado Cash.

Screenshot 2023-03-13 at 17.58.39Image. 100 ETH deposited into Tornado Cash. Source: Etherscan

A third EOA (0x5F259) claimed via an on-chain message that their MEV bot had accidentally front-ran the attackers first transaction, which gave them 8.8 million DAI. They also stated the MEV attempted to front run the attackers second transaction but was unsuccessful. The 8.8 million DAI was transferred to Euler Finance Exploiter 2 since the attempted front-running transaction copied the exploiters contract which had Euler Finance Exploiter 2’s wallet hardcoded within the withdraw() function.

Screenshot 2023-03-13 at 19.33.38Image. Withdraw function in contract 0xeBC29. Source: Etherscan

Whilst this may have seemed like a noble attempt, EOA 0x5F259 has been involved in suspicious activity prior to this incident. EOA 0x5F259 was initially funded by 0xBcAa6 with approximately 4.22 ETH on 12 February. When looking at the activity of 0xBcAa6 on the Binance Smart Chain we see that the wallet received approximately 349,399 USDT from a token with a deflationary vulnerability that has been wildly spread on social media. EOA 0xBcAa6 transferred the funds to EOA 0xb1546 who bridged the USDT to Ethereum where it was swapped for ETH and deposited into Tornado Cash.

Screenshot 2023-03-13 at 17.50.55Image: Funds from deflationary token exploit deposited into Tornado Cash. Source: Etherscan

Therefore, the attempted front running of the Euler Finance Exploiter wallets was unlikely an example of a white hat attempting to secure vulnerable funds due to the wallets association with a black hat incident.

Analysis of The Attack Transactions

The attacker exploited 5 Euler Finance pools.

Using transaction 0xc310 as example:

  1. The attacker executes a flash loan for 30 million DAI from AAVE.
  2. They then call executeOperation() in attack contract:

i) A malicious contract was deployed and 30 million DAI was transferred into the contract. ii) 20 million DAI was deposited and the attacker received 20 million eDAI collateral.

Note: Before the attacker called the deposit() function the DAI balance on Euler was 8,904,507 DAI.

uNXEz3O-RhaWUZhpvR5Lz3kqX8kCh-p8bqgStbHGiVHFmAgrHkR-CAUHxMOyIDT9GmzGuELj80iDKiYL1PC2xTsbGX-QK5sdXMWEJ1H1RGwvEJBD86NVb2wY3MrhtvE6M-OUwaHmYnKq5NJQlZ3uZYA

iii) The contract Calls eDAI.mint() function. The mint() function is a unique Euler feature to recursively borrow and deposit which is a faster way to create a lending loop for the same asset.

90ON6jGVb1B0p2bdcz1Zvv3IgQ7aar9WtaPS5lJB2dX8I1dUqBD3c c4fXC UMocRLfjdshXYJiONHOUdYJyuTF0Pg7aVPyEt TPBQUcfmMYBZBxILaLfuD194V7azDcJ9bZO7kj6oDeDM2m1kD52zA

Euler includes the following description of the mint function: Q6qIXXS61FkJCTOtDwzpi3IeJqYd6TToGoVTHSNVuCdpS3DaRQbFIVylaYEbEIYHcMg3WBBg0KDXqw4S YtCCB3ZJ47nWMK57HJSZYbAFQyGPubt3AVxBd28o6N-nb8XEvuVcrCsSkANab1zpheWsS4Image: Euler Finance White paper Source: Euler Finance

Euler Protocol utilizes dToken & eToken :

d Token stands for debt Token e Token Collateral Token).

When the mint() function was called 0x583creceived 200 million dDAI, a 10x leverage of the 20 million DAI deposit, and 195.6 million eDAI.

oOf0i0PxfXUGeG8MZreik6Llte1axU0I5jabuKoAPV00-AbXn Uy7Jrdm9KW9LLxfBr7sxXjNUYu9sg7DiMB-Xun20snHM4VkyzhYEubHC70uCmBIy9gKM3ddI2F7Pvw7vOTrM98LY skPD8sz2x4rQ

iv) The attacker had flash loaned 30 million DAI, of which 20 million DAI was deposited to Euler, leaving 10 million DAI remaining from the AAVE flashloan. The attacker called the repay() function to repay the remaining 10 million DAI to Euler in the eDAI pools. This subsequently burned 10 million dDAI from contract 0x583c.

u3YtKAN9yaZmwfE6qaoB-dtUfO3HRvUjfXScIEqVH6uqrxRLy0FQ5dYBBeNhx2x3DRK10O6Qc3qeWRuNb73i-A4jvFlx-UFaMA5Uv79UcOBPX40HzCGHYNbEoRoybsjbPuDnoJMSlnYw0ot3j8lBd2w

They then called mint() again to create another 200 million in dDai debt while also receiving 195.6 million eDAI in the attack contract (0x583c).

v) The attacker now calls donateToReserves(), the vulnerable function introduced in July 2022, and transferred 100 million eDAI to Euler which is 10 times the amount repaid.

However, there is no proper check on the collateralization status of this action. A normal transfer of eToken would call ‘checkLiquidity()’, which is missing from the updated donateToReserves() function as eToken.transferFrom() is not called. After the liquidator’s risk-adjusted liabilities exceed the value of their risk-adjusted collateral. The attacker had intentionally created a leveraged and insolvent position where they would be liquidated.

Unconfirmed 855699UXkvbX0R7HYOzXJL7Yuk4EksVukSeisu-B QYZWnQgCxEeQPnGXYVZIgKd ir7bxgj3ych54ADqrmgYeefAHITePOgRogCiLtBIa6G1a2 pQYXTFAVRiq-zEI0VgrUCPWimek u0TggCWkaH3PJ7vVI 2R3bdm-A WvRiv5UA 6s4nQWYFgcLgaEfwSnnMOGJ66xz 5roxaKpcihNS3CN3 iYaDmRWF-wg-2INESTkidVI-x2v1h5vEQ8tAiAz5tVFeWmLQm2NBeEs0R8jmy6k7-Nw1a93f7B8jcClBZQIwkxZQRa9eg11VlyNQJ8DJ8se97I9cx4HpZbMqhKyjpD204GgkpWzw4HkxMq416wdhANJm7MwFpkHSeP0LbmSVjyeDMHb66JrabI AjW 3wo6e6KoUQnSzYdder7pfVzXmPNYXS1JCYzk 8GQsQwj1I4Hai0

vi) The attacker can now liquidate() the violator which is an address that doesn't have a healthy debt level. The liquidator is a contract (0xA0b3e) owned by the attacker and the violator is the attackers pervious contract (0x583c).

gVi3MB3q1 r1ZbPgzP8zTXnNmslLCvLVIUR11ZJ8Y -L9M3NIhz-f811zUkwN6oDQ26gNgHJaGCh3zql2x5tgXqrNEkm4OdtKsEGkuIkNEu jbjxnweS5P29s607zs-hbkIsYs p4tkawDHev5nVT5Q Xz7ooaYDHgsLI0vY5G4j8CgUKLtM 2VJLfwl1B3e4xFPxqLAvaZ0UwCrIa3iilbd7LTGuxK jdO1090IT8yyVFZrbsI6334sZqvIzbNeTRLI7FjDka mt QDhMdUAQ Yx R9xqik09GGE4VsfXL6RVsQ UM3hxrkugs4Z5DFwCjR888TBEdMOpV9QEUiQ 9S11OFW2WXKVbpMa0HYtHwUiG3Ue6fOvQyi2UrfA7n jM5pnoWK9A8Hg-vMtCre2xtj3Sp PpzRhueP60KVwzKMKlXM31GPyggbJYLjp8xCj V7o

The liability value is >248,751,315 which gives a full discount boost of ​​1,000,000,000,000,000,000 (1e18). This equates to a 20% discount as labelled in Euler documents.

As both underlying and collateral assets are DAI, the repay amount is set to the maximum amount.

y-zz3zJZhXmg30GytsxQBcQ7O oxNBF0twwQp7ymd5OYAc2-qUVZWqEXGQP2LpwZMU5aH MyrIXb cAmBK-Dk7JDRUEodqQAidyOhADf3dcsgmuK-a4YJeT5 YYvTKOhA 6sM6102GWDv5XyCK6ySps

That then capped the total currently owed at 390,000,000 (390 million) dDAI.

XevtJ6DWmPus9wVmwkL0tFaDt1dbzFn0i1rS631deh6vD tu5IRNJ8J0dV6s3m7fl4fSN4miKBnWG0RZyueEIa2tf1U-t03sLfcro5jKh5pYTEL2PXZDqI2RzS8FAv26pWeX2Lup-azicZZKM0mwvMI

After fees and discounts the repay/debt transfer value totals > 259,319,058 (259.3 million).

qsetOUd9nLqt4XGC3DN8H8g7S3EWL4BDgImGLloSyllABij-1QgN3VVNtHFCcvVW3ux6zRPkwQcNjN 7CmTVeNEiPV OvliyalZSKZC3L3BW1pdUDVqnar-GdpxvZba7t5XbMcG1P7QCIdDQO6OnncA

An additional >5,084,687 (5 million) extra debt was minted during the liquidation procedure.

iYcOxkAvzB-4zd9cdO53pzPq21SAjUaxid 28BTANBh5krq3ftLrSbbTAOcBI3q9h0 o14DhrGA3qbVB0Y57UrmwlJchGbsHiy21LM93R4E0-xSzFxM6sDuigxtg1UxzyUg-PBnlZs4AcYAtMAoE0yw

The total transferred debt is much lower than the approximately 310,930,612 (310 million) collateral eTokens that were claimed. The liquidator gained almost 45 million worth of derivative tokens, more than enough to drain the remaining 38.9 million DAI in the protocol.

7WQlu7Um17GUA3BLnsZ9bkzsoKDw0pRH0pHwpRKWn sCw-PoIZLjHg1-XbUdFFlo7rsA2XjCi9YTQOX5PW4THgX14168eqss7yjNuHkkapb-1 pZqq72EvmYGhPUCJjnUeGBqMXPpyzerVhCgti9J4M

The liquidator withdrew some of the claimed collateral eDai for all the remaining 38.9 million DAI in the protocol and then the attacker repaid the flash loan.

Conclusion

The exploit on Euler Finance is by far the largest exploit of 2023 and accounts for approximately 70% of all funds lost this year. Furthermore, this is the largest flash loan exploit seen in over 14 months, with the only other incident that comes close being Beanstalk Finance who suffered an exploit in April 2022 amounting to a $182.2 million loss. It’s unusual to see such large amount of funds lost to a flash loan during a bear market. The average loss per attack in 2022 was approximately $3 million and so far in 2023 is approximately $400,000.

This incident is a sobering reminder that no matter the market conditions, projects and protocols are responsible for a large sum of investor funds and need to prioritize security. CertiK audits take a detailed look at a projects code to spot any bugs that can have devastating consequences. However, if a project is attacked, CertiK’s incident response services can assist projects in navigating reporting to law enforcement and negotiate with the exploiter amongst others. Visit certik.com to view our auditing and incident response services.