On the 13th of March 2023 08:56:35 AM +UTC the lending Protocol Euler Finance experienced a Flash Loan Attack.
Euler protocol is a Decentralized lending protocol that operates on Ethereum and other blockchain networks. The primary functionality of Euler is the lending and borrowing of digital assets. The UK-based team leverages math principles to deliver a high-performance, non-custodial lending experience for its users.
The Euler exploiter was able to attack the protocol through a compromised function called donateToReserves which didn’t perform the adequate liquidity checks of the native EToken. Leveraging a flash loan of $30m & several contract calls, the attacker could drain $196 million from the protocol across six different coins.
Attacker’s address:
https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db
Attacker’s contract address:
https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c
The transaction where the Euler exploiter moved the 88,752 ETH to his personal wallet:
https://etherscan.io/tx/0x298bde3f9e53f7a5d870f7f5d56ee2f5e41fa25e6eb5e74611ac97025405db55
He was able to do so with an initial flash loan transaction:
https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d
The attacker first borrowed a 30m DAI flash loan using AAVEv2 then deployed two smart contracts, one for borrowing and another for liquidating. The attacker then transferred the funds to the borrower contract: 0xeBC29.
Borrow contract:
https://etherscan.io/address/0xebc29199c817dc47ba12e3f86102564d640cbf99
Liquidation contract:
https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c
The borrower contract then proceeds to deposit 20M DAI in Euler and in return receives 19.5M eDAI, the Euler EToken mentioned earlier.
Euler protocol allows up to 10x leverage on deposits through the mint function. The hacker uses this to borrow 195.6 eDAI and 200m dDAI (a token used to represent debt on the Euler protocol).
The hacker then uses the remaining 10M DAI from the flash loan to repay part of their debt, destroying 10M DToken.
Once the 10m DTokens have been destroyed, they make a call to the mint function once more to borrow another 195.6M eDAI and 200m dDAI.
This is where the bug in Euler’s code is exploited, the hacker proceeds to call the function
donateToReservesand donates 10x the amount needed to pay their debt, 100m eDAI, then proceeds to initiate the liquidation process, leaving them with 310M dDAI and 250M eDAI respectively. The issue lies in the lack of liquidity check in the function, eDAI gets burned during the liquidation but not dDAI, leaving a bunch of unpayable debt.
Now all the hacker has to do is withdraw their eDAI, which gives them back 38.9M DAI, netting 8.8M profit after the 30M flash loan is repaid. They proceed to rinse and repeat this process until the entire protocol is drained.
As mentioned earlier, the bug lied in the donateToReserves function. This function fails to call checkLiquidity which checks to ensure that EToken balance is greater than DToken for the specific user. It is necessary to ensure that user liquidity is correct with every function call (see mint function) donateToReserve lacking this important check is what led to the fake debt and ultimately the exploit.
For starters, the burn function should have been properly called. Both tokens should have been burned during the liquidation process.
The
checkLiquidityfunction should have been used in every step of the way to ensure balances of E and D tokens are correct.Third party solutions such as Ironblocks, Ancila, Peckshield and others could have detected the malicious behavior from the moment the attacker placed the first transaction, allowing the team to deploy a preventative response before loss of funds.
Teams should always ensure their data comes from trusted and reliable Oracles.