Euler Finance blocks vulnerable module, working on recovering funds

Euler Finance blocks vulnerable module, working on recovering funds


Decentralized finance (DeFi) lending protocol Euler Finance became the victim of a quick lending attack on March 13, resulting in the biggest crypto hack in 2023 until now. The lending protocol lost nearly $197 million in the attack and impacted more than 11 other DeFi protocols too.

On March 14, Euler posted an update on the situation and notified its users that they had disabled the vulnerable etoken module to block deposits and the vulnerable donation feature.

The firm said they work with various security groups to conduct audits of their protocol, and the vulnerable code was reviewed and approved during an external audit. The vulnerability was not discovered as part of the audit.

The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.

Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler file a claim. The audit protocol then voted on the $4.5 million claim, which was approved, and then executed a $3.3 million payment on March 14.

In their analysis report, the audit group noted an important factor for the exploit: a missing status check in “donateToReserves”, a new function added in EIP-14. However, the protocol emphasized that the attack was still technically possible even before EIP-14.

Related: More than 280 blockchains at risk of ‘zero-day’ exploits, security firm warns

Sherlock noted that WatchPug’s July 2022 audit of Euler did not detect the critical vulnerability that ultimately led to the March 2023 exploit.

Euler has also reached out to major blockchain security and on-chain analytics firms, such as TRM Labs, Chainalysis, and the ETH security community at large, in an attempt to help them with the investigation and recover the funds.

Euler notified that they are also trying to contact those responsible for the attack to obtain more information on the matter and possibly negotiate a reward to recover the stolen funds.