Euler Finance team blocks vulnerable module

The DeFi protocol Euler Finance disabled the vulnerable EToken module, blocking deposits.

An update on our work today to recover funds for Euler protocol users.

Here are a few actions we took immediately:

1. Stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function

2. Engaged TRM… https://t.co/6ZClE9uGoH

— Euler Labs (@eulerfinance) March 14, 2023

The project team has already notified U.S. and U.K. law enforcement authorities about a $196 million hack. In addition, Euler Finance has reached out to analytics firms Chainalysis and TRM Labs to assist with the investigation. 

The project representatives also contacted the hacker and offered a reward for returning the stolen funds. 

According to available information, the attacker exploited a flaw in the instant-loan mechanism by posting an unsecured collateral. Due to a bug in the smart contract, the attacker was able to liquidate the debt and withdraw the funds.

One of our auditing partners, @Omniscia_sec, prepared a technical post-mortem and analysed the attack in great detail. You can read their report here:https://t.co/u4Z2xdutwe

In short, the attacker exploited vulnerable code which allowed it to create an unbacked token debt… https://t.co/FGnPqvYUGB

— Euler Labs (@eulerfinance) March 14, 2023

According to the Sherlock auditing group, which had previously collaborated with Euler, the vulnerability remained undetected for eight months. The company said that WatchPug, which audited the protocol in July 2022, did not uncover a critical flaw.

Similarly, Sherlock stands behind every auditor who reviewed Euler.

Sherlock initially worked with @cmichelio to audit the first version of Euler in Dec 2021, then with @shw9453 to audit a very small update in Jan 2022, and finally with @WatchPug_ to audit EIP-14 in July 2022.

— SHERLOCK (@sherlockdefi) March 13, 2023

Sherlock also helped the affected project draft a $4.5 million lawsuit, which was approved on March 14. As a result, the company unlocked $3.3 million to reimburse losses. Earlier on March 10, Hedera Hashgraph disclosed the withdrawal of an undisclosed amount following a platform breach.