Euler Finance hacked despite 10 audits in 2 years, says CEO

Ten abstracted audits conducted implicit a two-year play of the Ethereum-based lending protocol Euler Finance deemed it to beryllium “nothing higher than debased risk” and having “no outstanding issues” anterior to it suffering from a $196 cardinal attack.

In a bid of tweets connected March 17 Euler Labs CEO, Michael Bentley described the “hardest days” of his beingness aft Euler’s $196 cardinal flash indebtedness attack connected March 13.

He retweeted 1 idiosyncratic sharing accusation that Euler had 10 audits from 6 antithetic firms, and commented that the level “has ever been a security-minded project.”

Euler has ever been a security-minded project. The Euler astute contracts, including the susceptible lines of code, were audited.https://t.co/SvNeoKEGuY

Blockchain information firms including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica conducted astute declaration audits connected Euler Finance from May 2021 to September 2022.

Halborn ranked its hazard appraisal by measuring the “likelihood of a information incident” and the interaction it whitethorn have, with the hazard level ranging from precise debased and informational, to captious — Euler received “nothing higher than debased risk.”

It was revealed successful a Dec. 2022 summary of Halborn’s audit that it had recovered “an wide satisfactory result.”

The summary stated 23 astute contracts were “inspected and analyzed” by Halborn implicit a one-month period, of which lone “two debased risks and 3 informational” risks were identified.

Euler stated it had reviewed Halborn’s sum and concluded the risks “pose nary important threats.”

Blockchain information steadfast Omnisica addressed immoderate “incorrect paradigms” successful Euler’s basal swapper implementation, arsenic good arsenic however the swap mode was “handled by the codebase” — but stated successful the study that these issues were “properly dealt” with by Euler, and “no outstanding issues” remained.

Related: Euler Finance blocks susceptible module, moving connected recovering funds

On March 16 the protocol’s hacker began moving funds done crypto mixer Tornado Cash lone hours aft a $1 cardinal bounty was launched by Euler for accusation starring to the hacker’s arrest.

In his caller Twitter thread Bentley said he’ll ne'er “forgive the attacker” arsenic helium was forced to “sacrifice time” with his newborn lad owed to the onslaught but thanked information experts who are “working connected leads” for the investigation.

Only 24 hours anterior to the bounty, Euler issued a informing saying it would motorboat a 1 “that leads to your apprehension and the instrumentality of each funds” if 90% wasn’t returned wrong 24 hours.