Euler Finance was reported by BlockSec to have been attacked and over $177 million stolen. In the wake of this, Euler Finance confirmed that they were aware and assured its team is working on it in collaboration with security professionals and law enforcement.
Euler Finance is a UK based tech firm providing on-chain lending services and building non-custodial protocols on Ethereum. Euler completed a $32 million financing last year, with FTX, Coinbase, and Jump listed as participants.
Analysis by BlockSec pointed out that the root cause was a lack of liquidity check in the function donateToReserves(). The key steps in the analysis showed that the attacker flash loaned 30M DAI in AAVE, then deposited 20M DAI and got back 20M eDAI. Furthermore, Euler Finance allows for leveraged borrowing (docs.euler.finance/app/ui/mint), hence, the attacker was able to mint 195M eDAI and 200M dDAI.
Afterward, 10M debt was repaid so that the attacker could mint even more eDAI, which implies the attacker now holds 215M eDAI and 190M dDAI. The attack process repeated the earlier steps increasing the attacker’s holdings 410M eDAI and 390M dDAI. Thereafter the attacker invoked the function donateToReserve() to donate 100M eDAI, then liquidated and made out with 38M eDAI. The final call, flashloan is repaid.
Following the attack, Scope protocol reported that a USDC generic optimized lender strategy contract, Angle Protocol, was affected having about 17.6M USDC trapped in Euler Finance.
Balancer also confirmed sending approximately $11.9M to Euler from the bbeUSD (Euler Boosted USD) pool at the time of the hack. The funds make up approximately 65% of the pool’s total value locked (TVL).
Determining the best course of action Balancer paused and put the bbeUSD (Euler Boosted USD) into recovery mode as well as all pools containing bbeUSD. Balancer stated that in addition to the bbeUSD token being deposited in 4 other pools, “all other Balancer pools are safe.”
Euler Finance is yet to release further information on the attack, however stated it would as soon as they have any information.
Read also;
Liquidity Group to aid SBV-affected start-ups with $3B
What do you think of this article? Share comments below.