Euler Finance, a decentralized finance (DeFi) lending protocol, has suffered a flash loan attack resulting in the biggest crypto hack of 2023. The attack led to a loss of nearly $197 million, impacting not only Euler but also 11 other DeFi protocols.
In response, Euler disabled the vulnerable etoken module and donation function to block deposits. The company has reached out to leading on-chain analytic and blockchain security firms to help investigate and recover the funds. Euler is also in contact with those responsible for the attack in hopes of negotiating a bounty for the return of the stolen funds.
Despite a $1 million bug bounty in place and multiple security audits, the vulnerability remained on-chain for eight months until it was exploited. The audit group Sherlock verified the root cause of the exploit and helped Euler submit a claim for $4.5 million, which was later approved and resulted in a $3.3 million payout on March 14.
Sherlock’s analysis report noted a missing health check in a new function added in EIP-14 as a significant factor in the exploit. Euler stressed that the attack was technically possible even before EIP-14 and that a critical vulnerability was missed in a previous audit.