Connect with us

Hi, what are you looking for?



Euler Loses Nearly $200 Million to Flash Loan Attack

London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

A flash loan is an instant unsecured loan controlled by smart contracts. It allows a borrower to obtain collateral, use that collateral for its purposes, and return the collateral to its source provided it all occurs within a single transaction. It consequently relies on a sequence of complex conditions. 

A legitimate example could be a trader wishing to take instant advantage of different coin values on different platforms: borrow the money without collateral, buy at the low price and sell at the high price, and return the loan instantly.

The concept was pioneered in 2020 by the Ethereum lending platform Aave, which states in its documentation, “There is no real-world analogy to Flash Loans.” Coindesk adds, “The concept is new and still has a lot of kinks [as] new hacks are making abundantly clear.”

Details of this attack are not yet clear. PeckShield Inc tweeted a warning to Euler “Hi @eulerfinance: you may want to take a look…”

Euler responded mid-morning (GMT), March 13, 2023, “We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.” The Euler website displays a similar sentiment.

Flash Loan Attack

It appears that the attacker used flash loans to borrow from the De-Fi protocols Aave and Balancer, and deposited the money with Euler. The attacker then borrowed ten times the amount it had deposited with Euler. The precise means, or vulnerability, by which the attacker could break the smart contract and keep the borrowings is not clear. Nor is it entirely clear whether the attack has finished, or whether it is still in process and more losses will be revealed.

Rebecca Moody, head of data research at Comparitech, commented, “De-Fi platform Euler Labs has suffered a flash loan attack, with reports suggesting as much as $197 million has been stolen in total (figures are continually growing as this is updated).” She notes that this is the largest crypto hack of 2023 so far, and the eleventh largest of all time. 

Advertisement. Scroll to continue reading.

“It also takes the total lost in 2023 so far to more than $363 million with 43 attacks recorded so far,” she continued. “Flash loans account for 14 of these attacks and more than half of the funds stolen ($207.5 million).”

Euler was founded in September 2020 in London by Doug Hoyte, Jack Prior, and Michael Bentley (CEO). It has raised a total of $40.8 million over three rounds – the latest being a venture round (series undisclosed) in June 2022.

UPDATE, March 29: Coindesk now reports the hacker, calling himself ‘Jacob’, is returning the stolen money. Jacob doesn’t make the reason clear, and there is no official confirmation on Euler’s website. We will update this story if more relevant data becomes available.

Related: FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist

Related: Hackers Steal Over $600M in Major Crypto Heist

Related: Nearly $200 Million Stolen From Cryptocurrency Bridge Nomad

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...