Euler Finance, a DeFi lending protocol, suffered a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack, impacting more than 11 other DeFi protocols as well. Euler Finance disabled the vulnerable etoken module and vulnerable donation function to block deposits.
On March 14, Euler Finance updated its users on the situation and notified them of the disabled features. The firm stated that it works with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. However, the vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.
In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.
Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023. Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis, and the broader ETH security community, in a bid to help them with the investigation and recover the funds.
Euler Finance has notified that they are also trying to contact those
Read more on blockchain.news