The past few days have sent shock-waves through the decentralized finance (DeFi) world as Euler Finance, an Ethereum-based noncustodial lending protocol, is amidst a battle with a flash loan attacker. The attacker had exploited the platform’s code and was able to steal nearly $200 million.
In response, Euler Finance sent the hacker a threatening ultimatum: return 90% of the funds in 24 hours or face a $1 million reward from Euler Labs for information that leads to the perpetrator’s arrest. The reward was publicly announced by the Euler Foundation today.
The reported victims of the DeFi attack include a very significant figure. The hacker was reportedly able to steal $8.7 million in the decentralized stablecoin DAI, $18.5 million in Wrapped Bitcoin (WBTC), $135.8 million in Staked Ethereum (stETH), and another $33.8 million in Circle’s USD stablecoin USDC. In addition, the hacker apparently siphoned off a hefty sum of Euler’s native cryptocurrency EUL, causing a sharp dip in its token price of over 50%.
The response to the attack by Euler Finance has been notably civil and followed by an ultimatum. Initially, the team at Euler wrote to the hacker, “We are writing to see whether you would be open to speaking with us about any potential next steps.” For potential next steps, the company proposed that the hacker return 90% of the stolen funds along with a commitment to ending the investigation and not taking any legal action against the thief.
Fortunately, Euler Labs has both governmental and professional help to try and track the hacker. The company has engaged the U.S. Justice Department, FBI, the U.K. Law Enforcement, Chainalysis, TRM Labs, and other security experts to investigate and recover funds. They have even been able to disable the EToken module and the “vulnerable donation function” to decrease further damage.
When asked what advice they have to DeFi users in order to protect themselves from similar attacks in the future, a spokesperson from Euler Labs said they always recommend users only lending and borrowing on protocols tested and audited by reputable security firms. “It is also important that users follow movements of their assets and read protocols’ smart contracts closely”, they said.
The attack has created quite a predicament for the anonymous hacker, who can return 90% of their loot to Euler in exchange for no legal action being taken and still pocket $17.6 million, or keep the full amount and risk being tracked down.
One Twitter user summarized the hacker’s dilemma best: “Look over your shoulder for the rest of your life, or take a $20m deal. No brainer.”
But, the rewards system may be the hacker’s final undoing. The $1 million reward gives a great incentive for anyone with information to come forward and will likely be a major factor in finding those responsible and helping Euler Finance return the funds to the users they belong to.
No one knows what the outcome of this DeFi battle will be and until it is settled, the crypto world can only brace itself against further attacks. For now, Euler Finance looks to be in a strong position with the backing of law enforcement, security firms, and a brave decision to call on the hacker for their return of funds instead of automatically proceeding with a legal investigation.