White-hat hacker explains the cause of Euler Finance’s $200 million exploit

Fixing the vulnerability identified in Euler Finance’s DeFi protocol led to the emergence of another bug. In March it was used by an unknown for the attack on $200 million, said the white-hat hacker known as Kankodu.

“Fixing the bug I disclosed ended up introducing the function responsible for the breach,” the expert wrote.

According to him, in June 2022 he alerted the developers to the “first-deposit bug.” The lending protocol allows users to borrow assets, receiving eToken tokens at the exchange rate. The vulnerability discovered by Kankodu enabled him to artificially inflate quotes and withdraw all the coins.

The Euler Finance team awarded him a $50,000 bounty. In Immunefi’s white-hat leaderboard, the expert ranks 17th with 28 paid reports and earnings of $688,840.

To fix the vulnerability, the developers of the DeFi project made changes to the protocol so that all new eToken tokens initialize with a total collateral buffer of 1 million wei. This mirrored the Uniswap v2 approach and made the attack economically infeasible, according to Kankodu.

For existing coins with reserves above 1 million wei, no action was necessary. For another scenario, the developers implemented the donateToReserves function aimed at increasing collateral above 1 million wei. It was this function, in combination with the protocol’s liquidation mechanism, that the attacker exploited to attack the protocol, the expert said.

“This serves as a costly lesson, as even small bug fixes carry the same importance as major updates such as a new version of the protocol,” emphasised Kankodu.

As noted, the Euler Finance hacker returned to the project almost the entire stolen amount, keeping about $19 million as the agreed reward.