Euler Finance DeFi Protocol Attack Leaves It $197 Million Short in Crypto Assets

Non-custodial DeFi (decentralized finance) lending protocol Euler Finance lost $197 million worth of digital assets after it was hit by a crypto flash loan attack on Sunday.

Perpetrators stole multiple crypto tokens, including $135.8 million worth of stETH, $8.75 million in DAI, $33.85 million in USDC, and $18.5 million in WBTC.

Security companies are keeping a close eye on the ETH wallet used to siphon the tokens, hoping it might prevent the criminals from moving the ill-gained tokens.

Unfortunately, as blockchain analysis firm Elliptic reported, the crooks already took to heavily sanctioned crypto mixer Tornado Cash to launder the tokens.

Blockchain security company PeckShield disclosed the incident on Twitter, giving readers an Etherscan transaction hash URL. Euler Finance’s parent company Euler Labs replied:

“We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.”

To make matters worse, the attack crashed Euler’s proprietary token EUL, which plunged roughly 50% from $6 on Sunday to $3.06 at the time of writing this report.

Flash loan attacks like the one that hit Euler Finance exploit lending protocol vulnerabilities to manipulate token prices during a loan. While the tokens or assets cost is artificially inflated, perpetrators return it to the lender for prodigious profits.

According to PeckShield, the attack involved at least two parties: a borrower and a liquidator, who performed the malicious operations synchronously.

“The hack is made possible due to the flawed logic (of) its donation and liquidation,” reads PeckShield’s Tweet. “Specifically, the donateToReserves needs to ensure the donator is still over-collateralized. And liquidation needs to ensure the *correct* conversion rate from borrow to collateral asset.”