Euler Finance disables the vulnerable module and works to recover lost funds
Euler is collaborating with law enforcement and blockchain security firms to track down the exploiter and recover the funds.
On March 13, the Decentralized Finance (DeFi) lending protocol Euler Finance was the victim of a flash loan attack, resulting in the largest crypto hack in 2023 so far. The attack cost the lending protocol nearly $197 million and impacted more than 11 other DeFi protocols.
On March 14, Euler provided an update on the situation and informed its users that the vulnerable etoken module had been disabled to prevent deposits and the vulnerable donation function had been disabled.
According to the company, they work with various security groups to perform protocol audits, and the vulnerable code was reviewed and approved during an outside audit. The vulnerability was not found during the audit. Despite a $1 million bug bounty, the vulnerability remained on-chain for eight months before being exploited.
Sherlock, an audit firm that has previously worked with Euler Finance, confirmed the root cause of the exploit and assisted Euler in filing a claim. The audit protocol then voted on the $4.5 million claim, which was approved, and later executed a $3.3 million payout on March 14.
The audit group identified a significant factor for the exploit in its analysis report: a missing health check in “donateToReserves,” a new function added in EIP-14. The protocol, however, emphasised that the attack was technically possible even before EIP-14.
Sherlock observed that WatchPug’s Euler audit in July 2022 overlooked the critical vulnerability that eventually led to the exploit in March 2023.
Euler has also contacted leading on-chain analytic and blockchain security firms, including TRM Labs, Chainalysis, and the broader ETH security community, in an effort to assist them with the investigation and recovery of the funds.
Euler also stated that they are attempting to contact the perpetrators of the attack in order to learn more about the situation and possibly negotiate a bounty to recover the stolen funds.