Euler Finance Exploited for $197M in Flash Loan Attack

Decentralized finance (DeFi) lending protocol Euler Finance became the victim of a flash loan exploit, which saw the attacker steal $197 million worth of crypto, security firms BlockSec and PeckShield said on 13 March.

According to on-chain data, the attack on the protocol began at 4:50 am ET, when the exploiter began to carry out multiple transactions to steal 85,818 staked ether (stETH), 34.5 million USDC, 849 wrapped Bitcoin (WBTC), and 8.9 million DAI. Euler Finance noted it is working with security professionals and more information will be released soon.

Crypto analytic firm Meta Sleuth observed that the exploiter used a multichain bridge to transfer funds from the BNB Smart Chain (BSC) to Ethereum before executing his attack today. ZachXBT also noted that the movement of funds and the way the attack was carried out were similar to how a BSC-based protocol was exploited last month.

On-chain data shows that the attacker borrowed more than $30 million worth of DAI from DeFi protocols Balancer and Aave, $20 million of which were sent to Euler in exchange 19.5 million of eDAI (a collateral token). He then borrowed ten times the deposited amount from Euler — receiving 195.6 million eDAI and 200 million dDAI (debt token) — and then repaid a part of the debt using the remaining $10 million DAI from Balancer and Aave. By repeating these steps the attacker was able to trick the protocol into falsely assuming it owed more to depositors than it held.