Monday March 15th, 2021 was a day of aftermath after almost $200 million was stolen from the Ethereum-based DeFi platform Euler Finance in a single exploit. In a desperate attempt to retrieve their losses, the Euler Foundation reached out on-chain to the hacker, sending a message with an ultimatum – offer to return 90% of the funds within 24 hours or be met with a $1 million reward for information leading to their arrest and the return of the funds.
However, it was not to be. The hacker was undeterred by the $1 million bounty, and sent 1,000 ETH (approximately $1.78 million at the time) to the privacy preserving Tornado Cash mixer.
This kind of brazen attack on one of the new DeFi protocols isn’t unheard of – according to blockchain forensics firm Chainalysis, 2022 was the biggest year for crypto hacks and exploits to date, with $3.8 billion stolen across DeFi protocols. It’s easy to see why these new blockchain-based services are so attractive to hackers – but what was the story behind this attack on Euler Finance?
The attack reportedly began when the hacker exploited a flash loan on a decentralized finance platform to get a loan of funds with no collateral, and immediately liquidated them for ones that used the same mechanism. With 30 minutes and a single transaction, the hacker was able to siphon off DAI ($8.7 million), Wrapped Bitcoin (WBTC, $18.5 million), Staked Ethereum (stETH, $135.8 million), and Circle’s USD stablecoin (USDC, $33.8 million).
With nearly sleepwalking into such immense losses, Euler Finance had to act fast. They immediately contacted blockchain security researchers, law enforcement, and the Ethereum security community for help. They also reached out to the hacker anonymously through on-chain messages, requesting to set up a secure communication channel to discuss “any potential next steps”. In the message, they even offered to not pursue legal action if they were returned the funds – a bold move which the hacker was evidently unwilling to take up.
Analysts identified the funds used in the attack as having been used in other hacks in the past. Even more worrying, many of these previous attacks have been linked to North Korean state-sponsored Lazarus hacking group. While this could have been a misdirection tactic to obscure the hacker’s identity, it could also point to the involvement of Lazarus in the Euler attack.
On Wednesday, Euler Finance split the difference in their tone, offering to return 90% of the funds provided the hacker make sure that investigations in the US and UK could be halted and the funds could be “distributed to protocol users”. Although this ultimatum was not accepted, enough of the Ether was recovered on Saturday that this DeFi drama appears to be coming to a close.
It will remain unclear what motivated the hacker, how they were able to gain such access, or who was behind the attack. What we do know is that such incidents are becoming increasingly more common, while the sophistication and workload of the incursions increase yearly. As this collaboration between the DeFi platform, the Ethereum security community, blockchain fraud response firms, and law enforcement shows, there are plenty of entities out there willing to lend a hand and help protect the assets of their fellow DeFi users. If anyone learns a lesson from yesterday’s incident, it’s that nobody can afford to become complacent about their Ethereum assets, with no matter how secure the protocols claim to be, history has shown that nothing is impervious to a determined and patiently determined hacker.