London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.
A flash loan is an instant unsecured loan controlled by smart contracts. It allows a borrower to obtain collateral, use that collateral for its purposes, and return the collateral to its source provided it all occurs within a single transaction. It consequently relies on a sequence of complex conditions.
A legitimate example could be a trader wishing to take instant advantage of different coin values on different platforms: borrow the money without collateral, buy at the low price and sell at the high price, and return the loan instantly.
The concept was pioneered in 2020 by the Ethereum lending platform Aave, which states in its documentation, “There is no real-world analogy to Flash Loans.” Coindesk adds, “The concept is new and still has a lot of kinks [as] new hacks are making abundantly clear.”
Details of this attack are not yet clear. PeckShield Inc tweeted a warning to Euler “Hi @eulerfinance: you may want to take a look…”
Euler responded mid-morning (GMT), March 13, 2023, “We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.” The Euler website displays a similar sentiment.

It appears that the attacker used flash loans to borrow from the De-Fi protocols Aave and Balancer, and deposited the money with Euler. The attacker then borrowed ten times the amount it had deposited with Euler. The precise means, or vulnerability, by which the attacker could break the smart contract and keep the borrowings is not clear. Nor is it entirely clear whether the attack has finished, or whether it is still in process and more losses will be revealed.
Rebecca Moody, head of data research at Comparitech, commented, “De-Fi platform Euler Labs has suffered a flash loan attack, with reports suggesting as much as $197 million has been stolen in total (figures are continually growing as this is updated).” She notes that this is the largest crypto hack of 2023 so far, and the eleventh largest of all time.
“It also takes the total lost in 2023 so far to more than $363 million with 43 attacks recorded so far,” she continued. “Flash loans account for 14 of these attacks and more than half of the funds stolen ($207.5 million).”
Euler was founded in September 2020 in London by Doug Hoyte, Jack Prior, and Michael Bentley (CEO). It has raised a total of $40.8 million over three rounds – the latest being a venture round (series undisclosed) in June 2022.
Related: FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Related: Hackers Steal Over $600M in Major Crypto Heist
Related: Nearly $200 Million Stolen From Cryptocurrency Bridge Nomad

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Burnout in Cybersecurity – Can It Be Prevented?
- Verosint Launches Account Fraud Detection and Prevention Platform
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Meta Develops New Kill Chain Thesis
- The Rise of the BISO in Contemporary Cybersecurity
- ChatGPT and the Growing Threat of Bring Your Own AI to the SOC
- Euler Loses Nearly $200 Million to Flash Loan Attack
Latest News
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
- Webinar Tomorrow: Understanding Hidden Third-Party Identity Access Risks
- GitHub Rotates Publicly Exposed RSA SSH Private Key
