EULER FINANCE

DESCRIPTION OF EVENTS

"Democratising the assets people can lend and borrow. Euler is a non-custodial protocol on Ethereum that allows users to lend and borrow almost any crypto asset."

"Euler is a non-custodial permissionless lending protocol on Ethereum that helps users to earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party. Euler protocol features a number of innovations not seen before in DeFi, including permissionless lending markets, reactive interest rates, protected collateral, MEV-resistant liquidations, multi-collateral stability pools, and much more. For more information, read the White Paper."

"Euler comprises a set of smart contracts deployed on the Ethereum blockchain that can be openly accessed by anyone with an internet connection. Euler is managed by holders of a protocol native governance token called Euler Governance Token (EUL). Euler is entirely non-custodial; users are responsible for managing their own funds. A convenient and user-friendly front-end to for the Euler smart contracts is hosted at https://app.euler.finance. However, users are free to access the protocol in whatever format they wish; a popular alternative can be found at https://instadapp.io/."

"Permissionless listing is much riskier on decentralised lending protocols than on other DeFi protocols, like decentralised exchanges, because of the potential for risk to spill over from one pool to another in quick succession. For example, if a collateral asset suddenly decreases in price, and subsequent liquidations fail to repay borrowers' debts sufficiently, then the pools of multiple different types of assets can be left with bad debts. To counter these challenges, Euler uses risk-based asset tiers to protect the protocol and its users."

"The Euler Finance protocol permits its users to create artificial leverage by minting and depositing assets in the same transaction via EToken::mint. This mechanism permits tokens to be minted that exceed the collateral held by the Euler Finance protocol itself.

The donation mechanism introduced by Euler Finance in eIP-14¹ (EToken::donateToReserves) permits a user to donate their balance to the reserveBalance of the token they are transacting with. The flaw lies in that it does not perform any health check on the account that is performing the donation."

"Lending on Euler is managed via eTokens (collateral) and dTokens (debt), with liquidations triggered when a user has more dTokens than eTokens.

The exploited vulnerability involved the little-used donateToReserves function which was incorporated into Euler via EIP14 last year. donateToReserves allows users to send eTokens to directly to Euler reserves, however does not contain a check on the health of the user’s position.

The hacker took advantage of this by using two contracts, one of which would incur bad debt via donateToReserves, and the other would act as liquidator.

Using flash-loaned funds and Euler’s leverage system to create a large, underwater position on one contract, the liquidator contract could obtain the inflated eToken collateral at a discount, and withdraw into the underlying assets.

Omniscia, one of Euler’s six auditors, published a detailed post-mortem, summing up the issue as follows:

The attack ultimately arose from an incorrect donation mechanism and did not account for the donator’s debt health, permitting them to create an unbacked DToken debt that will never be liquidated."

"The vulnerability that was exploited stems from how Euler Finance permits donations to be performed without a proper account health check.

The vulnerable code was introduced in eIP-14¹ which introduced multiple changes throughout the Euler Ecosystem. The flaw lies in the first change performed to the EToken implementation (EToken::donateToReserves feature²).

The logic within the Liquidation module will attempt to repay the full debt of the violator, however, if the collateral they possess would not satisfy the expected repayment yield, the system defaults to whatever collateral the user has³.

The assumption of this code block states that a borrower’s available collateral will be insufficient only when:

This can happen when borrower has multiple collaterals and seizing all of this one won’t bring the violator back to solvency

This security guarantee is not upheld by the donation mechanism which permits the user to create “bad debt” in the form of leverage that is uncollateralized by donating their EToken units without affecting their DToken balance."

"SlowMist provided a summary of the addresses and transactions involved: total losses comprised 86k in ETH derivatives ($134.6M), 849 WBTC ($18.6M), 34M USDC, 8.9M DAI."

"Auditors and smart contract insurance protocol Sherlock has taken responsibility for missing the vulnerability in their review of EIP-14 last year, and will pay a claim of $4.5M to Euler.

Euler reached out to the attacker’s address via tx input data:

We understand that you are responsible for this morning's attack on the Euler platform. We are writing to see whether you would be open to speaking with us about any potential next steps.

But with some funds having been sent to Tornado via a pass-through address in what seems like a test, the prospects of returned funds aren’t looking good…

Given Euler’s high-profile and stable reputation, many other DeFi organisations had funds tied up in the protocol.

The fact that so many other projects chose to integrate with Euler is a testament to just how shocking this exploit has been for the community. And many have reached out in support of the Euler team."

Explore This Case Further On Our Wiki

Euler is a non-custodial permissionless lending protocol on Ethereum that enables users to lend and borrow almost any crypto asset. It features a number of innovations, including permissionless lending markets, reactive interest rates, protected collateral, and multi-collateral stability pools. Users can create artificial leverage by minting and depositing assets, but the donateToReserves function was exploited, allowing a hacker to create an unbacked DToken debt. The vulnerability was missed by auditors and smart contract insurance protocol Sherlock, which will pay a claim of $4.5M to Euler. Total losses from the attack were $134.6M in ETH derivatives, $18.6M in WBTC, 34M USDC, and 8.9M DAI.

Rekt - Euler Finance - REKT (May 3)
https://docs.euler.finance/security/audits (May 3)
Euler Finance Incident Post-Mortem | by Omniscia | Mar, 2023 | Medium (May 3)
Ethereum Transaction Hash (Txhash) Details | Etherscan  (May 3)
Euler Finance Exploiter 2 | Address 0xb66cd966670d962c227b3eaba30a872dbfb995db | Etherscan  (May 3)
@RektHQ Twitter (May 3)
eIP 14: Contract Upgrades - [eIP] Euler Improvement Proposals - Euler Governance Forum (May 3)
https://euler-xyz.github.io/euler-contracts-upgrade-diffs/eip14/EToken.html (May 3)
euler-contracts/Liquidation.sol at fa9398728165676a5666939d8c34a7578d8e1919 · euler-xyz/euler-contracts · GitHub (May 3)
euler-contracts/EToken.sol at fa9398728165676a5666939d8c34a7578d8e1919 · euler-xyz/euler-contracts · GitHub (May 3)
https://docs.euler.finance/euler-protocol/eulers-default-parameters#maximum-liquidation-discount (May 3)
Euler Exploit Contract 1 | Address 0xebc29199c817dc47ba12e3f86102564d640cbf99 | Etherscan  (May 3)
Contract Address 0x583c21631c48d442b5c0e605d624f54a0b366c72 | Etherscan  (May 3)
Contract Address 0xa0b3ee897f233f385e5d61086c32685257d4f12b | Etherscan  (May 3)
euler-contracts/BaseLogic.sol at fa9398728165676a5666939d8c34a7578d8e1919 · euler-xyz/euler-contracts · GitHub (May 3)
@eulerfinance Twitter (May 3)
https://www.euler.finance/ (May 3)
https://docs.euler.finance/getting-started/introduction (May 3)
https://docs.euler.finance/getting-started/white-paper (May 3)

More case studies

Hedera Token
Service Exploited

Seed Phrases in Evernote
Theft jbtravel84