Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Euler Loses Nearly $200 Million to Flash Loan Attack

London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.

A flash loan is an instant unsecured loan controlled by smart contracts. It allows a borrower to obtain collateral, use that collateral for its purposes, and return the collateral to its source provided it all occurs within a single transaction. It consequently relies on a sequence of complex conditions. 

A legitimate example could be a trader wishing to take instant advantage of different coin values on different platforms: borrow the money without collateral, buy at the low price and sell at the high price, and return the loan instantly.

The concept was pioneered in 2020 by the Ethereum lending platform Aave, which states in its documentation, “There is no real-world analogy to Flash Loans.” Coindesk adds, “The concept is new and still has a lot of kinks [as] new hacks are making abundantly clear.”

Details of this attack are not yet clear. PeckShield Inc tweeted a warning to Euler “Hi @eulerfinance: you may want to take a look…”

Euler responded mid-morning (GMT), March 13, 2023, “We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.” The Euler website displays a similar sentiment.

Flash Loan Attack

It appears that the attacker used flash loans to borrow from the De-Fi protocols Aave and Balancer, and deposited the money with Euler. The attacker then borrowed ten times the amount it had deposited with Euler. The precise means, or vulnerability, by which the attacker could break the smart contract and keep the borrowings is not clear. Nor is it entirely clear whether the attack has finished, or whether it is still in process and more losses will be revealed.

Rebecca Moody, head of data research at Comparitech, commented, “De-Fi platform Euler Labs has suffered a flash loan attack, with reports suggesting as much as $197 million has been stolen in total (figures are continually growing as this is updated).” She notes that this is the largest crypto hack of 2023 so far, and the eleventh largest of all time. 

“It also takes the total lost in 2023 so far to more than $363 million with 43 attacks recorded so far,” she continued. “Flash loans account for 14 of these attacks and more than half of the funds stolen ($207.5 million).”

Euler was founded in September 2020 in London by Doug Hoyte, Jack Prior, and Michael Bentley (CEO). It has raised a total of $40.8 million over three rounds – the latest being a venture round (series undisclosed) in June 2022.

Related: FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist

Related: Hackers Steal Over $600M in Major Crypto Heist

Related: Nearly $200 Million Stolen From Cryptocurrency Bridge Nomad

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...