Decentralized finance (DeFi) lending protocol Euler Finance became a victim of a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack and impacted more than 11 other DeFi protocols as well.
On March 14, Euler came out with an update on the situation and notified its users that they had disabled the vulnerable Etoken module to block deposits and the vulnerable donation function.
The firm said that they work with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. The vulnerability was not discovered as part of the audit.
The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty being in place during that time.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later held a vote on the claim for $4.5 million, which was passed and later executed a $3.3 million payout on March 14.
The audit group, in its analysis report, noted that a major factor for the exploit was a missing health check in donateToReserves(), a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before the existence of EIP-14.
Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023.
Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis and the broader ETH security community, in a bid to help them with the investigation and recover the funds.
Euler notified that they are also trying to contact those responsible for the attack in order to learn more about the issue and possibly negotiate a bounty to recover the stolen funds.