On March 13, a flash loan attack targeted Euler Finance, one of the top decentralized finance (DeFi) lending protocols, resulting in the greatest crypto breach of 2023. The attack cost the loan protocol around $195 million, and it also negatively impacted more than 11 other DeFi protocols. Concerns have been raised by the event regarding the security of DeFi platforms and the effectiveness of outside audits.
Flash loan attacks, which take use of flaws in the smart contract code to manipulate the system, are becoming more frequent in the DeFi area. Users of flash loans can borrow money without putting up any collateral, but they must pay it back in one transaction. The attacker takes out a sizable loan and uses the money to manipulate the value of assets, generate fictitious liquidity, or take advantage of a weak spot in the smart contract. Once the deal is done, the assailant pays back the debt and takes the money.
For the attack on Euler Finance, a flash loan from another DeFi platform was used. A flaw in the Euler protocol that had gone unreported during an external audit was used by the attacker. A missing health check in “donateToReserves” caused the vulnerability, which was tied to a new function included in EIP-14, and allowed the attacker to siphon money from the protocol.
In response to the attack, Euler Finance swiftly blocked deposits and disabled the donation feature as well as the weak etoken module. The company also contacted a number of security organizations to evaluate its protocol, and the exposed code was examined and authorized during an external audit. However, the vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14. The incident has raised questions about the efficacy of external audits and the need for stronger security measures in DeFi platforms.
The need for greater cooperation between DeFi platforms and security companies has also been made clear by the Euler Finance attack. To assist with the inquiry and recover the cash, Euler Finance has contacted top on-chain analytic and blockchain security companies like TRM Labs, Chainalysis, and the larger ETH security community. The platform is also attempting to get in touch with the attackers to find out more about the problem and perhaps work out a bounty to get back the money that was taken.