Key Highlights
- Euler Finance was hacked resulting in a total loss of approximately $197 million across multiple currencies. Almost 100% of user deposits are under the hacker’s control, and none of the funds seem likely to be returned. The hack has a ripple effect across some other platforms in the cryptocurrency space.
- Sherlock DeFi, a protocol on the Ethereum blockchain that protects DeFi users from smart contract exploits, has taken a great step in paying out a claim, but it amounts to barely 2.2% of the stolen amount, leaving many investors uncertain about where things will go from here.
- According to Luke Lombe, a core developer at Spool, restoring investor confidence in the DeFi space requires a multi-faceted approach, including improving security, enhancing transparency, educating users, establishing industry standards, and encouraging responsible regulations that protect investors without stifling innovation. AI can play a crucial role in ensuring a safer DeFi space by monitoring transactions and identifying unusual patterns.
It’s 2023 and despite crypto recovering from last year’s market downturn, the hacks in the space have yet to reduce. DeFi faced another major incident, as Euler Finance was the victim of a major exploit that resulted in a total loss of approximately $197 million across multiple currencies.
Currently, almost 100% of user deposits are now under the attacker’s control, and, at the time of writing, the hacker is not communicating with the Euler team and none of the funds seems likely to be returned.
This hack is significant because it has a ripple effect across some other platforms in the cryptocurrency space. Some Yearn Vaults were indirectly exposed to Euler, amounting to $1.38 million in exposure via Idle and Angle, and are using their treasury to cover bad debt.
Idle Finance had 100% exposure via their USDC / USDT tranches and is now reliant on a resolution by Euler and their auditors to recover those funds. Harvest Finance was also heavily impacted as their USDC, USDT, and WETH vaults were routed through Idle Finance. As such, they are also dependent on resolution via Euler.
Sherlock DeFi, a protocol on the Ethereum blockchain that protects Decentralized Finance (DeFi) users from smart contract exploits, has taken a great step in paying out a claim, but it amounts to barely 2.2% of the stolen amount, leaving many investors uncertain about where things will go from here.
How it Happened
Following an incident post-mortem by Omniscia, an auditor used by Euler, it appears that a single function enabled the attack. This “donateToReserves” function was added as part of its eIP-14 upgrade in July 2022 and sat within the system for 8 months despite active bug bounties through both Euler and their auditor.
As a result of flawed logic within this update, the attacker was able to artificially create an unbacked debt token within Euler that would never be liquidated.
Once they stopped the direct attack, Euler engaged various crypto-native teams for investigation, as well as UK and US law enforcement, and are continuing to investigate. This code was audited by Sherlock DeFi prior to launch, who also provided a coverage policy in case of this incident.
Sherlock has passed a vote on a $4.5 million payout, $3.3 of which has been paid so far, the first time an audit team has paid this amount for a missed vulnerability.
Expert Opinion
Nairametrics was able to speak to Luke Lombe, a core developer at Spool, a permissionless DeFi platform that connects Capital Aggregators with DeFi yield generators, to comment on the Euler hack, the future of DeFi and the role Artificial Intelligence (AI) can play in building a safer DeFi space.
Enjoy the conversation.
NAIRAMETRICS: $200 million is a lot of money. What are the chances of recovering this fund from the hacker?
Luke Lombe: Recovering the stolen $200 million from the hacker is a challenging and potentially impossible task. The hacker’s wallet is related to prior hacks and attempts to recover the funds have proven futile. The chances of recovery depend on the ability of the hacker to conceal their tracks, the response from the crypto community, and law enforcement’s efficiency in investigating the matter.
NAIRAMETRICS: With the level of hacks we have seen in the cryptocurrency space, is there really a possibility of smart contracts being a disruption to the traditional banking system?
Luke Lombe: Despite the prevalence of hacks in the crypto space, smart contracts still have the potential to disrupt the traditional banking system. As the technology matures and security measures improve, the benefits of decentralization, lower fees, and increased financial accessibility can easily outweigh the risks.
It is essential for the industry to prioritize safety and transparency, learn from these incidents, and continue to actively innovate solutions to the challenges we face.
NAIRAMETRICS: In what ways do you think we can restore investor confidence in the space? Not just the hacks but everything that has happened in the past 12 months.
Luke Lombe: Restoring investor confidence in the DeFi space requires a multi-faceted approach: it involves Improving security, as investments much be made in thorough audits, bug bounties, and other security measures to prevent hacks.
Enhance transparency as they will provide clear and accessible information about projects, teams, and risks involved. Educating users about best practices for managing their investments and securing their assets.
Establishing industry standards in a bid to promote collaboration among projects to create and adopt best practices and security standards. Lastly, we need regulatory clarity so as to encourage responsible regulations that protect investors without stifling innovation.
NAIRAMETRICS: What steps can Euler take to mitigate these hacks in the future?
Luke Lombe: To mitigate future hacks, Euler can conduct multiple rigorous smart contract audits by reputable firms, implement high-value bug bounties to incentivize the discovery and reporting of vulnerabilities, collaborate with other projects in the DeFi space to share knowledge and adopt best practices, maintain a strong focus on security and transparency in their development processes and communications.
It should be noted that Euler was audited, did conduct bug bounties, and had some insurance. But the more the better.
NAIRAMETRICS: What role can AI play in ensuring a safer DeFi space?
Luke Lombe: AI can play a crucial role in ensuring a safer DeFi space. We are at the cusp of huge a leap forward in capability with AI, as it relates to most sectors, but also within DeFi safety.
A few areas where AI can have a positive impact would be Anomaly detection, as AI can monitor transactions and identify unusual patterns, potentially flag malicious activities, and smart contract analysis as AI-powered tools can help analyze and validate smart contracts for vulnerabilities and potential exploits.
Risk assessment because AI can aid in assessing the risk levels of various DeFi platforms, helping users make informed decisions, automation of security measures because AI can help automate the implementation of security protocols, reducing human error and response times, ongoing monitoring as AI-driven tools can provide continuous monitoring and assessment of DeFi projects, ensuring a secure environment for users.
We are aware of multiple innovative builders that are working on bringing high-utility products to market that leverage the power of AI. It’s an exciting time.