After six audits, $200 million was still stolen. How big is the chain reaction of Euler Lego?

Original author: Jaleel, 0x22D, BlockBeats

At 5:00 pm on March 13, Euler Finance was suspected of being attacked by hackers with lightning loans. Euler Finance’s total damage in this hacker lightning loan attack was about 197 million U.S. dollars, including more than 8.8 million DAI, 849 WBTC, 34 million USDC, and 85,000 stETH. In this regard, Euler Finance immediately replied that it is cooperating with security professionals and law enforcement agencies. Euler Finance proposed a solution, saying that those affected by the vulnerability will be able to request a refund, and the remaining funds in the vault can be used to process the refund.

How did hackers attack Euler? Which agreements are currently affected? Which companies have audited for Euler? BlockBeats made a brief review.

A review of the attack process: a "violator" and a "liquidator"

Omniscia, one of Euler Finance's audit partners, has published a postmortem technical analysis of the attack. conducted a very detailed analysis, and pointed out that the exploited vulnerability stemmed from Euler's failure to perform proper security checks on the donation address.

The vulnerability code was introduced in eIP-14, the eIP-14 protocol introduced Multiple changes throughout the Euler ecosystem. The flaw exists in the first change made to the EToken implementation ( EToken: donateToReserves feature ). The attacker then took advantage of the vulnerable code, allowing it to create unsecured token debt positions by donating funds to the protocol’s reserve, allowing the attacker to liquidate these accounts and profit from liquidation bonuses.

Specifically, the liquidation module's internal logic attempts to pay off the violator's full debt, but if If the owned collateral cannot meet the expected repayment yield, the system will default to any other collateral owned by the user. The hypothetical state of this code block is that this occurs when a borrower has multiple collaterals and forfeiting all of them will not restore the defaulter to solvency.  

This security is not supported by the donation mechanism, which allows users to create "bad debt" in the form of leverage, which is obtained through donations Their EToken units without collateral will not affect their DToken balance.

The image source is from Arkham Intelligence

According to Arkham's investigation, the attackers used more than 20 different contract addresses to obtain various encrypted assets from Euler. For each asset, the hacker deployed two contracts: a "violator" and a "liquidator". "Violators" use the donation function to overturn Euler's logic, and "liquidators" then clean up the leftovers.

The specific execution process of the hacker is as follows:

1) First, draw a flash loan from Balancer / Aave v2 and borrow 30M DAI

< /p>

2) Deploy two contracts: Violator and Liquidator. Deposited by the "violator", the "liquidator" is responsible for closing the position in the same transaction 

3) 2/3 of the deposited funds to Euler, send 20M DAI to Euler and receive 19.5M eDAI

4) Then borrow the deposit 10 times the amount, received 195.6M eDAI and 200M dDAI from Euler

5) Use the remaining 1/3 of the funds to repay part of the debt, sent 10M DAI and Burned 10M dDAI 

6) Repeat step 4, received 195.6M eDAI and 200M dDAI from Euler

< /p>

7) Donated 10 times the repaid funds, donated 100 million eDAI to Euler

8) Then the "Liquidator" went online and liquidated the offending account because eDAI < dDAI, and obtained 310M eDAI and 259M dDAI debts from the violator

9) Then withdraw all tokens from Euler, including the withdrawal of 38.9M DAI10) Repayment Convert USDC and WBTC to DAI and ETH after flash loan

The image source is from Arkham Intelligence

The vulnerability actually occurred in two different address clusters. The address above is used to execute the exploit across non-DAI tokens. Two separate addresses are used to call and execute exploit functions on DAI.

Addresses marked "recipient" are used to perform the exploit (and subsequently receive the exploit Utilize funds) contract address. The vast majority of funds are sent to separate addresses labeled "holders." The address currently holds $192 million worth of cryptocurrency.

The image source is from Arkham Intelligence

wETH profit is sent to another address. The Main Caller address holds about 8K ETH, currently worth nearly $13.6M, which is all the ETH removed from the Euler wETH market.

According to PeckShield's monitoring, Euler Finance attackers have passed the address starting with 0xc66d, at least to At the same time, according to the analysis of chain detective ZachXBT, this address attacked some protocols on BSC a few weeks ago, and the stolen funds were also deposited into Tornado Cash. As most would guess, the attacker is almost certainly a black hat.

What agreements are affected?

The attack on Euler has spread widely, affecting several Euler-related defi protocol, including:

Aztec

Euler Finance's vulnerability affected Aztec Connect users trying to withdraw funds, and affected users are currently unable to withdraw funds. Aztec has no control over the integration with Euler, currently the Aztec Connect functionality is functional.

In addition, it is worth noting that Aztec announced that Aztec Connect is the world's first Privacy Rollup, there are some problems with its design, which increases the maintenance cost. Considering the scale of the project and commercial factors, Aztec is about to close Connect, and all engineering resources will be devoted to building the L2 privacy protocol Noir, and the next version will support fully programmed smart contracts with default privacy. (BlockBeats note, for more information about Aztec’s upcoming closure of Connec, please read "Aztec Interview: Closing Connect is a commercial consideration, Continuing to build L2 privacy protocol Noir》

Yield

Yield Protocol has closed the main network lending related operations due to the Euler attack. Yield's main network liquidity pool is built on Euler , Euler has suspended the main network contract, Yield has removed the app from the shelf, and closed the lending entrance in the official website UI.

< /p>

Balancer

In the Euler Finance attack event, about 11.9 million USD was sent to Euler from the bbeUSD liquidity pool , accounting for 65% of the liquidity pool TVL, bbeUSD is also deposited into the other 4 liquidity pools: wstETH/bbeUSD, rETH/bbeUSD, TEMPLE/bbeUSD, DOLA/bbeUSD, all other Balancer liquidity pools are Safe. Due to the measures taken to protect the remaining funds, the UI currently does not support existing LPs to exit the positions in these bbeUSD pools, but there is no risk of further loss of funds. The bbeUSD pool users can use the UI to withdraw Token and bbeUSD in proportion, but Funds cannot be withdrawn from bbeUSD until Euler restores the transferability of eTokens (e.g. eDAI/DAI).

SwissBorg

< /p>

SwissBorg deposited 6,357 Ethereum and 1.7 million USDT in Euler. After the attack, SwissBorg quickly lent 4,752 cbETH to reduce losses, but it was still stranded And lost about 1617.23 ETH (or only 2.27% of the total assets subscribed by the plan) and nearly 1.7 million USDT (29.52% of the total assets subscribed by the plan).

Fortunately, according to SwissBorg, the A lot of preparation was done, including risk management procedures, so the extent of the loss was minimal. SwissBorg will bear all losses incurred in this event, and users will not suffer any losses as a result.

Idle DAO

DeFi agreement Idle Finance issued a document stating that after investigation, the Euler Finance incident’s exposure to the agreement’s Yield Tranches strategy involved approximately $5.35 million in stablecoins and 320 ETHs, and the exposure to the Best Yield strategy involved $4.8 million in stablecoins and 313 ETHs.  

In addition, Idle Finance emphasized that the actual impact will depend on the actions taken by the Euler team and possible mitigation measures. The above figures are not actual retracements, but locked Actual figures in Euler. Idle Finance also stated that the Senior/Junior Best Yield DAI vault has transferred all funds to Aave last week due to USDC unpegged, so the vault (with a total TVL of $11.2 million) was not affected by the Euler incident and is now operating as expected and Earn money from Aave.

Angle

< /p>

Angle Protocol, a decentralized stablecoin agreement, posted on social media: "Angle Protocol is affected by the Euler exploit, which deposits 17.6 million USDC into Euler. Agreement suspended, debt ceiling set to 0, Euler AMO closed. Situation is being monitored and updates will be made as soon as they are received." 

In addition, Angle Protocol stated that before the Euler hack, the Angle Core module TVL was about 36 million US dollars, and 17.2 million agEUR had been minted through the core module. Also included in the agreement: approximately $11.6 million in deposits from standard liquidity providers; approximately $35,300 in deposits from hedging agents; and approximately $5.58 million in surplus.  

If the hacked funds (17,614,940.03 USDC) are determined to be lost, the TVL for Angle's core modules would drop to approximately $18.4 million. In this case, the amount of reserves in the core module will be lower than the value of the claims of agEUR holders, standard liquidity providers, and remaining hedging agents in the protocol.

Yearn

< /p>

DeFi revenue aggregator Yearn said that although it was not directly exposed to Euler's attack, some Yearn vaults were indirectly exposed to hacker attacks due to the use of Idle and Angle's strategy. Of this, exposure on yvUSDT and yvUSDC totals $1.38 million, and any remaining bad debts will be borne by Yearn vaults, all of which will remain open and fully operational.

Six audit firms with "malfeasance"

< /p>

As soon as the incident came out, various public opinions expressed their distrust of the blockchain security audit company. Such a project with strong strength and the ability to find 6 security companies to conduct audits for itself can have loopholes that can lose hundreds of millions of dollars. The voices of "DeFi is over" and "audit is useless" echoed everywhere. However, did these 6 audit companies really ignore Euler's loopholes?

Certora

Certora is an Israel-based blockchain security company that provides security analysis tools and services for smart contracts. In May 2022, Certora raised $36 million in a Series B round led by Jump Crypto. Before raising $36 million, Certora had found bugs for Aave, Compound, Balancer, and SushiSwap, most of which were discovered and fixed immediately before the code was deployed.

Certora audited Euler between September and October 2021. In its audit report, Certora pointed out that Euler's code contained 3 high-severity problems, 4 medium-severity problems, and 2 low-severity problems. Some means to evade reckoning.

The code that caused the theft came from a new proposal introduced by Euler in July 2022 eIP-14, therefore Certora is not liable in this incident.

Halborn

< /p>

Halborn is a blockchain security company headquartered in Miami. In July 2022, Halborn announced the completion of a US$90 million Series A financing led by Summit Partners, Castle Island Ventures, Digital Colurncom Group and Brevan Howard participated in the round. Halborn users include well-known projects such as Solana, Avalanche, and BAYC.

Since Halborn's audit of Euler took place between May and June 2021, earlier than eIP -14 was introduced, so Halborn is also not liable.

Solidified & ZK Labs

Solidified and ZK Labs, two blockchain security companies, have provided audit services for OpenSea, Tether, Cosmos and other projects respectively, and in May 2021 jointly audited Euler conducted the audit and therefore is not liable in this incident.

Pen Test Partners

Pen Test Partners is a network security company that not only focuses on the blockchain field. In June 2022, Pen Test Partners audited the security of Euler DApp, and gave in the audit report that "the App can resist attacks very well, and the risk to Euler infrastructure and user data is low." conclusion. Pen Test Partners are also not liable.

Omniscia

< /p>

Omniscia is a decentralized team of experienced smart contract auditors and developers with expertise in building and securing complex decentralized networks and applications Deep professional knowledge, audit services include Polygon, Ava Labs and other 240 projects and companies.

Omniscia conducted Euler 3 times in March, June and September 2022 The audits are aimed at Merkle pledge mining security, Chainlink-related functional security, and Swap Hub security. Although the last audit took place 2 months after eIP-14 was proposed, Omniscia did not make major mistakes because eIP-14 was not included in these 3 audits.

SHERLOCK

< /p>

SHERLOCK is a smart contract insurance service and audit platform that provides a total of $10 million in on-chain vulnerability insurance and rewards for clients such as Opyn, Euler, Lyra, Tempus, LiquiFi, and Hook bounty.

SHERLOCK has conducted a total of 3 audits for Euler. First completed by auditor Chris Michel in December 2021, then updated by auditor shw9453 in January 2022. The last audit was done by auditor WatchPug in July 2022, on the eIP-14 that triggered the attack.

WatchPug on eIP-14 Seven problems were found in the code, but the fuse of this incident, EToken:donateToReserves, was not found.

SHERLOCK expressed willingness to take responsibility, and launched a $4.5 million compensation plan, and has paid 3.3 million million, but this is too little compared to the loss of $200 million.

Web3 needs a new audit Mechanism

Although the last review of the introduced vulnerability function was audited by SHERLOCK company, it is not the same as the rest The 5 audit firms have no direct relationship. But in the face of such an all-star VC investment, many well-known defi agreements as upstream fund providers were hacked nearly 200 million US dollars in a short period of time, and the funds involved were so huge. Many community members said that Euler's this time The attack has dealt a considerable psychological blow to Defi.

Compared with the voice of "audit is useless", this incident actually highlights the importance of blockchain security audit and the current audit process limitations. Auditor's human error, unclear scope of audit and audit of new proposals are the main factors affecting audit effectiveness at present. SHERLOCK, which is mainly responsible for this incident, has actually recognized these problems.

SHERLOCK said in August 2022 that spending a lot of money to let a few people check your code for 4 months is tantamount to being cheated, don't be fooled again, Don't be fooled again. SHERLOCK introduces the capture-the-flag competition in the traditional security field, uses USDC as a reward, and starts a loophole-finding competition on a single project basis, so as to take advantage of the power of a wider community of hundreds of people.

Unfortunately, because eIP-14 was released before SHERLOCK launched a new audit mechanism, it was still only completed by a few auditors alone, so SHERLOCK became The existence of being fooled by others in his own mouth, Euler is fooled.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia