Euler Finance halts module, recovering money

The decentralized finance (DeFi) lending system Euler Finance was compromised by a flash loan attack on March 13, 2023, resulting in the largest crypto breach of 2023 to date.

The assault cost the loan protocol roughly $197 million and affected more than eleven additional DeFi systems.

On March 14, Euler provided an update on the issue and informed its users that it had deactivated the susceptible token module to prevent deposits and the vulnerable donation feature.

The company said that they collaborate with many security organizations to conduct audits of their protocol and that the susceptible code was examined and authorized during an external audit.

The vulnerability was not identified by the audit.

The vulnerability remained exploitable for eight months despite the existence of a $1 million bug incentive.

Sherlock, an auditing firm that has previously collaborated with Euler Finance, confirmed the exploit’s core cause and assisted Euler in filing a claim.

The audit process subsequently voted on and approved the $4.5 million claim, and on March 14, it executed a $3.3 million settlement.

In their study report, the audit team identified a key contributor to the exploit: the absence of a health check in “donateToReserves,” a new function introduced in EIP-14.

Nonetheless, the protocol emphasized that the attack was theoretically feasible before EIP-14.

Sherlock observed that the Euler audit conducted by WatchPug in July 2022 failed to identify the fundamental flaw that ultimately led to the attack in March 2023.

Also, Euler has reached out to prominent on-chain analytic and blockchain security organizations, such as TRM Labs, Chainalysis, and the larger ETH security community, to assist them with the investigation and recover the cash.

They have notified Euler that they are also attempting to contact the attackers to learn more about the incident and perhaps negotiate a reward to retrieve the stolen monies.