After 10 audits in 2 years, Euler Finance’s CEO alleges hacking

Once Euler Finance offered a $1 million reward, the protocol hacker started sending payments using Tornado Cash. 

After 10 audits in 2 years, Euler Finance's CEO alleges hacking

Ten consecutive audits completed over two years on the Ethereum-based lending protocol Euler Finance determined that it was “nothing more than low risk” and had “no remaining concerns” before its $196 million hack.

Michael Bentley, CEO of Euler Labs, tweeted on March 17 about the “hardest days” of his life after the $196 million flash loan attack on March 13.

He shared a user’s tweet revealing that Euler has undergone ten audits from six different organizations and said that the site “has always been a security-focused endeavor.”

From May 2021 through September 2022, blockchain security companies including Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica audited Euler Finance’s smart contracts.

Halborn graded its risk assessment based on the “probability of a security event” and its potential consequence, with risk levels ranging from extremely low and informative to critical; Euler earned “nothing above low risk.”

In a report of Halborn’s audit from December 2022, “an overall good outcome” was disclosed.

The report indicated that Halborn “inspected and studied” 23 smart contracts over one month, identifying just “two low risks and three informational” threats.

Euler indicated that it had evaluated Halborn’s coverage and determined that the risks posed “no serious hazards.”

Blockchain security company Omnisica noted “incorrect paradigms” in Euler’s basic swapper implementation and how the swap mode was “managed by the codebase,” but claimed in the study that these concerns had been “fully fixed” by Euler and “no lingering issues” remained.

The hacker of the protocol started transferring cash via the crypto mixer Tornado Cash on March 16, only hours after Euler issued a $1 million reward for information leading to the hacker’s capture.

Bentley said in a recent Twitter thread that he would never “forgive the attacker” since he had to “sacrifice time” with his newborn kid as a result of the assault, but he appreciated security specialists who were “working leads” for the inquiry.

About 24 hours before the reward, Euler issued a warning that it would begin a process “leading to your arrest and the restoration of all monies” if 90% of the cash were not returned within 24 hours.