Hackers stole almost $200 million worth of cryptocurrencies from the Euler Finance lending protocol, the media reported earlier this week.
Euler is a non-custodial Decentralized Finance (DeFi) protocol on Ethereum that allows users to lend and borrow almost any crypto asset. The company behind the protocol, Euler Labs, confirmed the incident via Twitter, saying security professionals, as well as the police, have been brought in to investigate the matter.
Per BleepingComputer (opens in new tab), the incident exploited a poorly designed flash loan feature, allows users to borrow funds “in a flash”, and return them just as quickly. The feature had a vulnerability allowing the attackers to borrow a large sum of money without having to return its value to the service.
Wrapped BTC and Staked ETH
“The attackers use an exploit that allows them to manipulate the price of a token or asset on the platform during the few seconds that they hold the lent amount, so when the trade is complete, they are left with a massive profit,” the publication explained.
In this incident, the attackers stole $8.75 million in the DAI token, $18.5 million in WBTC (“wrapped” bitcoin – bitcoin on the Ethereum network), $33.85 million in USDC (a stablecoin whose value is pegged to the US dollar), and $135.8 million in stETH (staked ETH – a liquid staking derivatives token used to represent staked Ether on Lido (LDO)).
While the media are reporting that the funds are being monitored and that it will be difficult for the attackers to convert them into something they can use (and not get confiscated), blockchain analytics firm Elliptic says some of the stolen tokens already made it through the Tornado Cash mixer (in other words, they were laundered).
Following the news, the Euler token (EUL) dropped in value from $6.2 to $3.1 at press time.