The March 13 flash mortgage assault in opposition to Euler Finance resulted in over $195 million in losses. It prompted a contagion to unfold by a number of decentralized finance (DeFi) protocols, and no less than 11 protocols aside from Euler suffered losses because of the assault.
Over the subsequent 23 days, and to the nice reduction of many Euler customers, the attacker returned all the exploited funds.
However whereas the crypto group can have a good time the return of the funds, the query stays whether or not related assaults could trigger huge losses sooner or later.
An evaluation of how the assault occurred and whether or not builders and customers can do something to assist stop these sorts of assaults sooner or later could also be useful.
Fortunately, Euler’s developer docs clearly clarify how the protocol works, and the blockchain itself has preserved an entire document of the assault.
How Euler Finance works
In accordance to the protocol’s official docs, Euler is a lending platform much like Compound or Aave. Customers can deposit crypto and permit the protocol to lend it to others, or they will use a deposit as collateral to borrow crypto.
The worth of a consumer’s collateral should at all times be greater than what they borrow. Suppose a consumer’s collateral falls beneath a particular ratio of collateral worth to debt worth. In that case, the platform will enable them to be “liquidated,” that means their collateral might be bought off to pay again their money owed. The precise quantity of collateral a consumer wants relies upon upon the asset being deposited vs. the asset being borrowed.
eTokens are property, whereas dTokens are money owed
Each time customers deposit to Euler, they obtain eTokens representing the deposited cash. For instance, if a consumer deposits 1,000 USD Coin (USDC), they may obtain the identical quantity of eUSDC in alternate.
Since they turn out to be value greater than the underlying cash because the deposit earns curiosity, eTokens don’t have a 1:1 correspondence with the underlying asset by way of worth.
Euler additionally permits customers to realize leverage by minting eTokens. But when they do that, the protocol will ship them debt tokens (dTokens) to steadiness out the property created.
For instance, the docs say that if a consumer deposits 1,000 USDC, they will mint 5,000 eUSDC. Nevertheless, in the event that they do that, the protocol may even ship them 5,000 of a debt token known as “dUSDC.”
The switch perform for a dToken is written in another way than a typical ERC-20 token. For those who personal a debt token, you’ll be able to’t switch it to a different particular person, however anybody can take a dToken from you in the event that they wish to.
Associated: Liquidity protocol Sentiment exploited for over $500K
In line with the Euler docs, a consumer can solely mint as many eTokens as they might have been in a position to by depositing and borrowing time and again, because it states, “The Mint perform mimics what would occur if a consumer deposited $1,000 USDC, then borrowed $900 USDC, then redeposited that $900 USDC, to borrow $810 extra USDC, and so forth.”
Customers liquidated if well being scores drop to 1 or beneath
In line with a weblog submit from Euler, every consumer has a “well being rating” based mostly on the worth of the eTokens held of their wallets vs. the worth of the dTokens held. A consumer must have a better greenback worth of eTokens than dTokens, however how way more is determined by the actual cash they’re borrowing or depositing. Regardless, a consumer with sufficient eTokens may have a well being rating better than 1.
If the consumer barely falls beneath the required variety of eTokens, they may have a well being rating of exactly 1. This may topic them to “smooth liquidation.” Liquidator bots can name a perform to switch among the consumer’s eTokens and dTokens to themselves till the borrower’s well being rating returns to 1.25. Since a consumer who’s barely beneath the collateral necessities will nonetheless have extra collateral than debt, the liquidator ought to revenue from this transaction.
If a consumer’s well being rating falls beneath 1, then an rising low cost is given out to the liquidator based mostly on how dangerous the well being rating is. The more severe the well being rating, the better the low cost to the liquidator. That is supposed to make it possible for somebody will at all times liquidate an account earlier than it accumulates an excessive amount of dangerous debt.
Euler’s submit claims that different protocols supply a “mounted low cost” for liquidation and argues why it thinks variable reductions are superior.
How the Euler assault occurred
Blockchain knowledge reveals that the attacker engaged in a sequence of assaults that drained numerous tokens from the protocol. The primary assault drained round $8.9 million value of Dai (DAI) from the Dai deposit pool. It was then repeated time and again for different deposit swimming pools till the overall quantity was drained.
The attacker used three completely different Ethereum addresses to carry out the assault. The primary was a sensible contract, which Etherscan has labeled “Euler Exploit Contract 1,” used to borrow from Aave. The second tackle was used to deposit and borrow from Euler, and the third was used to carry out a liquidation.
To keep away from having to repeatedly state the addresses that Etherscan has not labeled, the second account might be known as “Borrower” and the third account “Liquidator,” as proven beneath:
The primary assault consisted of 20 transactions in the identical block.
First, Euler Exploit Contract 1 borrowed 30 million DAI from Aave in a flash mortgage. It then despatched this mortgage to the borrower account.
After receiving the 30 million DAI, borrower deposited 20 million of it to Euler. Euler then responded by minting roughly 19.6 million eDAI and sending it to borrower.
These eDAI cash had been a receipt for the deposit, so a corresponding quantity of dDai was not minted within the course of. And since every eDAI could be redeemed for barely a couple of DAI, the borrower solely acquired 19.6 million as a substitute of the complete 20 million.
After performing this preliminary deposit, borrower minted roughly 195.7 million eDAI. In response, Euler minted 200 million dDAI and despatched it to borrower.
At this level, borrower was close to their eDAI mint restrict, as that they had now borrowed about 10 occasions the quantity of DAI that they had deposited. So their subsequent step was to repay among the money owed. They deposited the opposite 10 million DAI that they had held onto, successfully paying again $10 million of the mortgage. In response, Euler took 10 million dDAI out of borrower’s pockets and burned it, lowering borrower’s debt by $10 million.
Associated: Allbridge gives bounty to exploiter who stole $573K in flash mortgage assault
The attacker was then free to mint extra eDAI. Borrower minted one other 195.7 million eDAI, bringing their eDAI complete minted to round 391.4 million. The 19.6 million eDAI in deposit receipts introduced borrower’s eDAI complete to about 411 million.
In response, Euler minted one other 200 million dDai and despatched it to borrower, bringing borrower’s complete debt to $400 million.
As soon as borrower had maximized their eDAI minting capability, they despatched 100 million eDai to the null tackle, successfully destroying it.
This pushed their well being rating effectively beneath 1, as they now had $400 million in debt vs. roughly $320 million in property.
That is the place the liquidator account is available in. It known as the liquidate perform, coming into borrower’s tackle because the account to be liquidated.
In response, Euler initiated the liquidation course of. It first took round 254 million dDAI from borrower and destroyed it, then minted 254 million new dDai and transferred it to liquidator. These two steps transferred $254 million value of debt from borrower to liquidator.
Subsequent, Euler minted a further 5.08 million dDAI and despatched it to liquidator. This introduced liquidator’s debt to $260 million. Lastly, Euler transferred roughly 310.9 million eDAI from borrower to liquidator, finishing the liquidation course of.
Ultimately, borrower was left with no eDAI, no DAI, and 146 million dDAI. This meant that the account had no property and $146 million value of debt.
Then again, liquidator had roughly 310.9 million eDAI and solely 260 million dDAI.
As soon as the liquidation had been accomplished, liquidator redeemed 38 million eDAI ($38.9 million), receiving 38.9 million DAI in return. They then returned 30 million DAI plus curiosity to Euler Exploiter Contract 1, which the contract used to pay again the mortgage from Aave.
Ultimately, liquidator was left with approx. $8.9 million in revenue that had been exploited from different customers of the protocol.
This assault was repeated for a number of different tokens, together with Wrapped Bitcoin (WBTC), Staked Ether (stETH) and USDC, amounting to $197 million in exploited cryptocurrencies.
What went flawed within the Euler assault
Blockchain safety corporations Omniscia and SlowMist have analyzed the assault to try to decide what might have prevented it.
In line with a March 13 report from Omniscia, the first drawback with Euler was its “donateToReserves” perform. This perform allowed the attacker to donate their eDAI to Euler reserves, eradicating property from their pockets with out eradicating a corresponding quantity of debt. Omnisica says that this perform was not within the authentic model of Euler however was launched in Euler Enchancment Proposal 14 (eIP-14).
The code for eIP-14 reveals that it created a perform known as donateToReserves, which permits the consumer to switch tokens from their very own steadiness to a protocol variable known as “assetStorage.reserveBalance.” Each time this perform is known as, the contract emits a “RequestDonate” occasion that gives details about the transaction.
Blockchain knowledge exhibits that this RequestDonate occasion was emitted for a worth of 100 million tokens. That is the precise quantity that Etherscan exhibits had been burned, pushing the account into insolvency.
Of their March 15 evaluation, SlowMist agreed with Omniscia concerning the significance of the donateToReserve perform, stating:
“Failure to verify whether or not the consumer was in a state of liquidation after donating funds to the reserve tackle resulted within the direct triggering of the smooth liquidation mechanism.”
The attacker may need additionally been in a position to perform the assault even when the donate perform had not existed. The Euler “EToken.sol” contract code on GitHub accommodates a typical ERC-20 “switch” perform. This appears to indicate that the attacker might have transferred their eTokens to a different random consumer or to the null tackle as a substitute of donating, pushing themselves into insolvency anyway.
Nevertheless, the attacker did select to donate the funds moderately than switch them, suggesting the switch wouldn’t have labored.
Cointelegraph has reached out to Omniscia, SlowMist and the Euler group for clarification on whether or not the donateToReserves perform was important to the assault. Nevertheless, it has not acquired a response by publication time.
Associated: Euler group denies on-chain sleuth was a suspect in hack case
The 2 corporations agreed that one other main vulnerability in Euler was the steep reductions provided to liquidators. In line with SlowMist, when a lending protocol has a “liquidation mechanism that dynamically updates reductions,” it “creates profitable arbitrage alternatives for attackers to siphon off a considerable amount of collateral with out the necessity for collateral or debt compensation.” Omniscia made related observations, stating:
“When the violator liquidates themselves, a percentage-based low cost is utilized […] guaranteeing that they are going to be ‘above-water’ and incur solely the debt that matches the collateral they may purchase.”
The best way to stop a future Euler assault
In its evaluation, SlowMist suggested builders on learn how to stop one other Euler-style assault sooner or later. It argued that lending protocols shouldn’t enable customers to burn property if it will trigger them to create dangerous debt, and it claimed that builders must be cautious when utilizing a number of modules that will work together with one another in surprising methods:
“The SlowMist Safety Staff recommends that lending protocols incorporate obligatory well being checks in features that contain consumer funds, whereas additionally contemplating the safety dangers that may come up from combining completely different modules. This may enable for the design of safe financial and viable fashions that successfully mitigate such assaults sooner or later.”
A consultant from DeFi developer Spool advised Cointelegraph that technological threat is an intrinsic characteristic of the DeFi ecosystem. Though it could possibly’t be eradicated, it may be mitigated by fashions that correctly charge the dangers of protocols.
In accordance to Spool’s threat administration white paper, it makes use of a “threat matrix” to find out the riskiness of protocols. This matrix considers components such because the protocol’s annual share yield (APY), audits carried out on its contracts, time since its deployment, complete worth locked (TVL) and others to create a threat score. Customers of Spool can make use of this matrix to diversify DeFi investments and restrict dangers.
The consultant advised Cointelegraph that Spool’s matrix considerably diminished investor losses from the Euler incident.
“On this incident, the worst affected Sensible Vaults, these designed by customers to hunt greater (and riskier) yields, had been solely affected for as much as 35%. The bottom affected vault with publicity to Euler methods (by way of Harvest or Idle), as compared, was solely affected by 6%. Some vaults had zero publicity and had been thus not impacted,” they acknowledged.
Spool continued, “Whereas this isn’t very best, it clearly demonstrates the power of the Sensible Vaults to supply tailor-made threat fashions and to distribute customers’ funds amongst a number of yield sources.”
Cointelegraph bought an identical reply from SwissBorg, one other DeFi protocol that goals to assist customers restrict threat by diversification. SwissBorg CEO Cyrus Fazel acknowledged that the SwissBorg app has “completely different yield methods based mostly on threat/timeAPY.”
Some methods are listed as “1: core = low,” whereas others are listed as “2: adventurous = dangerous.” As a result of Euler was given a “2” score, losses from the protocol had been restricted to solely a small portion of SwissBorg’s complete worth locked, Fazel acknowledged.
SwissBorg head of engineering Nicolas Rémond clarified additional that the group employs subtle standards to find out what protocols could be listed within the SwissBorg app.
“We’ve a due-diligence course of for all DeFi platforms earlier than coming into any place. After which, as soon as we’re there, we’ve operation procedures,“ he stated, including, ”The due diligence is all about TVL, group, audits, open-source code, TVL, oracle manipulation assault, and so forth. […] The operation process is about platform monitoring, social media monitoring and a few emergency measures. Some are nonetheless handbook, however we’re investing to automatize every little thing based mostly in order that we could be extraordinarily reactive.”
In a March 13 Twitter thread, the SwissBorg group acknowledged that though the protocol had misplaced 2.2% of the funds from one pool and 29.52% from one other, all customers can be compensated by SwissBorg ought to the funds not be recoverable from Euler.
The Euler assault was the worst DeFi exploit of Q1 2023. Fortunately, the attacker returned many of the funds, and most customers ought to find yourself with no losses when all is claimed and finished. However the assault raises questions on how builders and customers can restrict threat because the DeFi ecosystem continues to develop.
Some mixture of developer diligence and investor diversification stands out as the resolution to the issue. However regardless, the Euler hack could proceed to be mentioned effectively into the longer term, if for no different cause than its sheer measurement and illustration of the dangers of DeFi exploits.
