# The Euler Exploit By [Sage](https://paragraph.com/@sage-3) · 2023-03-23 --- On the 13th of March 2023 08:56:35 AM +UTC the lending Protocol Euler Finance experienced a [Flash Loan Attack](https://shardeum.org/blog/what-is-a-flash-loan-attack/). Euler protocol is a Decentralized lending protocol that operates on Ethereum and other blockchain networks. The primary functionality of Euler is the lending and borrowing of digital assets. The UK-based team leverages math principles to deliver a high-performance, non-custodial lending experience for its users. What happened ------------- The Euler exploiter was able to attack the protocol through a compromised function called donateToReserves which didn’t perform the adequate liquidity checks of the native EToken. Leveraging a flash loan of $30m & several contract calls, the attacker could drain $196 million from the protocol across six different coins. Attacker’s address: [https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db](https://etherscan.io/address/0xb66cd966670d962c227b3eaba30a872dbfb995db) Attacker’s contract address: [https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c](https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c) The transaction where the Euler exploiter moved the 88,752 ETH to his personal wallet: [https://etherscan.io/tx/0x298bde3f9e53f7a5d870f7f5d56ee2f5e41fa25e6eb5e74611ac97025405db55](https://etherscan.io/tx/0x298bde3f9e53f7a5d870f7f5d56ee2f5e41fa25e6eb5e74611ac97025405db55) He was able to do so with an initial flash loan transaction: [https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d](https://etherscan.io/tx/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d) How did they do it? ------------------- 1. The attacker first borrowed a 30m DAI flash loan using AAVEv2 then deployed two smart contracts, one for borrowing and another for liquidating. The attacker then transferred the funds to the borrower contract: [0xeBC29](https://etherscan.io/address/0xebc29199c817dc47ba12e3f86102564d640cbf99). ![Initial flash loan call](https://storage.googleapis.com/papyrus_images/d030b0079c26ff006d0fd877c1be71ffcba163d7fb10931ef4d39c2d390ec728.png) Initial flash loan call Borrow contract: [https://etherscan.io/address/0xebc29199c817dc47ba12e3f86102564d640cbf99](https://etherscan.io/address/0xebc29199c817dc47ba12e3f86102564d640cbf99) Liquidation contract: [https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c](https://etherscan.io/address/0x036cec1a199234fc02f72d29e596a09440825f1c) 1. The borrower contract then proceeds to deposit 20M DAI in Euler and in return receives 19.5M eDAI, the Euler EToken mentioned earlier. ![](https://storage.googleapis.com/papyrus_images/d86c421ca4bdab72ec1b511fe49f4eab0028274ffd76ff8c07ece1f7277eaacd.png) 1. Euler protocol allows up to 10x leverage on deposits through the mint function. The hacker uses this to borrow 195.6 eDAI and 200m dDAI (a token used to represent debt on the Euler protocol). ![Here you can see the borrow for 200M.](https://storage.googleapis.com/papyrus_images/7ba19fa9a90f6b959a2d4353b938929a6256dc5728f37246a8f3c26eab48d74c.png) Here you can see the borrow for 200M. 1. The hacker then uses the remaining 10M DAI from the flash loan to repay part of their debt, destroying 10M DToken. ![Notice on the last line how 10M tokens are sent to the genesis address](https://storage.googleapis.com/papyrus_images/e31a332d16951dd40d1919bb4df34d19a824afd9fcca3d10f71ffafc7d733b0e.png) Notice on the last line how 10M tokens are sent to the genesis address 1. Once the 10m DTokens have been destroyed, they make a call to the mint function once more to borrow another 195.6M eDAI and 200m dDAI. ![](https://storage.googleapis.com/papyrus_images/c620654e2d9b737f7d72e6eb51c8e3740bfd44d0fdb30cd7c66fd4640fd1d25b.png) 1. This is where the bug in Euler’s code is exploited, the hacker proceeds to call the function `donateToReserves` and donates 10x the amount needed to pay their debt, 100m eDAI, then proceeds to initiate the liquidation process, leaving them with 310M dDAI and 250M eDAI respectively. The issue lies in the lack of liquidity check in the function, eDAI gets burned during the liquidation but not dDAI, leaving a bunch of unpayable debt. ![](https://storage.googleapis.com/papyrus_images/b26b45800d5af1472600e4e916b02f346fbea9b4062a239926f316c79da97df0.png) 1. Now all the hacker has to do is withdraw their eDAI, which gives them back 38.9M DAI, netting 8.8M profit after the 30M flash loan is repaid. They proceed to rinse and repeat this process until the entire protocol is drained. ![](https://storage.googleapis.com/papyrus_images/4113e23dc52c62133031a6f4e49c6313593875b4951ab8b91ae89901620bdfeb.png) Where was the bug? ------------------ As mentioned earlier, the bug lied in the `donateToReserves` function. This function fails to call `checkLiquidity` which checks to ensure that EToken balance is greater than DToken for the specific user. It is necessary to ensure that user liquidity is correct with every function call (see mint function) `donateToReserve` lacking this important check is what led to the fake debt and ultimately the exploit. ![Notice how mint has the checkliquidity function call.](https://storage.googleapis.com/papyrus_images/68e4c91984e76f7cfd73a6e65bdf64cbb81053ffecb3f33d53fabeb039f0caaf.webp) Notice how mint has the checkliquidity function call. How can we prevent this? ------------------------ * For starters, the burn function should have been properly called. Both tokens should have been burned during the liquidation process. * The `checkLiquidity` function should have been used in every step of the way to ensure balances of E and D tokens are correct. * Third party solutions such as [Ironblocks](https://www.ironblocks.com/), [Ancila](https://www.ancilia.ai/), [Peckshield](https://peckshield.com/) and others could have detected the malicious behavior from the moment the attacker placed the first transaction, allowing the team to deploy a preventative response before loss of funds. * Teams should always ensure their data comes from trusted and reliable Oracles. --- *Originally published on [Sage](https://paragraph.com/@sage-3/the-euler-exploit)*