Euler Finance hacked for over $195M in a flash loan attack

Euler Finance was exploited in a flash loan attack that drained hundreds of millions of decentralized stablecoins and synthetic ERC-20 tokens.

Ethereum-based noncustodial lending protocol Eurler finance faced a flash loan attack on March 13, with the attacker managing to steal millions in Dai (DAI), USD Coin (USDC), staked Ether (StETH) and wrapped Bitcoin (WBTC).

According to on-chain data, as per the last update, the exploiter carried out multiple transactions, stealing nearly $196 million. The ongoing attack has already become the largest hack of 2023. The breakdown of stolen funds is as follows: 

Funds stolen from Euler Finance. Source: BlockSec.

According to another crypto analytic firm Meta Seluth, the attack correlates with the deflation attack one month ago. The attacker used a multichain bridge to transfer the funds from the BNB Smart Chain (BSC) to Ethereum and launched the attack today.

Movement of funds from Euler Finance. Source: Meta Seluth

Euler Finance acknowledged the exploit and said they are currently working with security professionals and law enforcement to resolve the issue.

ZachXBT, another prominent on-chain sleuth, pointed out that the movement of funds and the nature of the attack seems quite similar to black hats that exploited a BSC-based protocol last month. After exploiting a protocol on BSC a few weeks ago, the funds were deposited to the crypto mixer, Tornado Cash.

Euler Finance raised $32 million in a funding round last year that saw participation from FTX, Coinbase, Jump, Jane Street and Uniswap.

Euler Finance became quite popular for offering liquid staking derivatives (LSDs) services. LSDs are a relatively new type of token that enable stakers to augment potential returns by unlocking liquidity for staked cryptocurrency, such as Ether (ETH). Currently, LSDs make up to 20% of total value locked in centralized finance protocols.

This is a developing story, and further information will be added as it becomes available.

Go to Source