2 years ago
Euler is presently moving with instrumentality enforcement agencies and blockchain information firms, trying to interaction the exploiter to retrieve the funds.
Own this portion of past
Collect this nonfiction arsenic an NFT
Decentralized concern (DeFi) lending protocol Euler Finance became a unfortunate of a flash indebtedness onslaught connected March 13, resulting successful the biggest hack of crypto successful 2023 so far. The lending protocol mislaid astir $197 cardinal successful the onslaught and impacted much than 11 different DeFi protocols arsenic well.
On March 14, Euler came retired with an update connected the concern and notified its users that they had disabled the susceptible Etoken module to artifact deposits and the susceptible donation function.
The steadfast said that they enactment with assorted information groups to execute audits of its protocol, and the susceptible codification was reviewed and approved during an extracurricular audit. The vulnerability was not discovered arsenic portion of the audit.
One of our auditing partners, @Omniscia_sec, prepared a method post-mortem and analysed the onslaught successful large detail. You tin work their study here:https://t.co/u4Z2xdutwe
In short, the attacker exploited susceptible codification which allowed it to make an unbacked token debt… https://t.co/FGnPqvYUGB
The vulnerability remained on-chain for 8 months until it was exploited, contempt a $1 cardinal bug bounty being successful spot during that time.
Sherlock, an audit radical that has worked with Euler Finance successful the past, verified the basal origin of the exploit and helped Euler taxable a claim. The audit protocol aboriginal held a ballot connected the assertion for $4.5 million, which was passed and aboriginal executed a $3.3 cardinal payout connected March 14.
The audit group, successful its investigation report, noted that a large origin for the exploit was a missing wellness cheque successful donateToReserves(), a caller relation added successful EIP-14. However, the protocol stressed that the onslaught was inactive technically imaginable adjacent earlier the beingness of EIP-14.
Related: More than 280 blockchains astatine hazard of ‘zero-day’ exploits, warns information firm
Sherlock noted that the Euler audit by WatchPug successful July 2022 missed the captious vulnerability that yet led to the exploit successful March 2023.
Similarly, Sherlock stands down each auditor who reviewed Euler.
Sherlock initially worked with @cmichelio to audit the archetypal mentation of Euler successful Dec 2021, past with @shw9453 to audit a precise tiny update successful Jan 2022, and yet with @WatchPug_ to audit EIP-14 successful July 2022.
Euler has besides reached retired to starring on-chain analytic and blockchain information firms, specified arsenic TRM Labs, Chainalysis and the broader ETH information community, successful a bid to assistance them with the probe and retrieve the funds.
Euler notified that they are besides trying to interaction those liable for the onslaught successful bid to larn much astir the contented and perchance negociate a bounty to retrieve the stolen funds.
English (US) 