London, UK based De-Fi platform company Euler has lost a reported $196 million to a flash loan attack.
A flash loan is an instant unsecured loan controlled by smart contracts. It allows a borrower to obtain collateral, use that collateral for its purposes, and return the collateral to its source provided it all occurs within a single transaction. It consequently relies on a sequence of complex conditions.
A legitimate example could be a trader wishing to take instant advantage of different coin values on different platforms: borrow the money without collateral, buy at the low price and sell at the high price, and return the loan instantly.
The concept was pioneered in 2020 by the Ethereum lending platform Aave, which states in its documentation, “There is no real-world analogy to Flash Loans.” Coindesk adds, “The concept is new and still has a lot of kinks [as] new hacks are making abundantly clear.”
Details of this attack are not yet clear. PeckShield Inc tweeted a warning to Euler “Hi @eulerfinance: you may want to take a look…”
Euler responded mid-morning (GMT), March 13, 2023, “We are aware and our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it.” The Euler website displays a similar sentiment.
It appears that the attacker used flash loans to borrow from the De-Fi protocols Aave and Balancer, and deposited the money with Euler. The attacker then borrowed ten times the amount it had deposited with Euler. The precise means, or vulnerability, by which the attacker could break the smart contract and keep the borrowings is not clear. Nor is it entirely clear whether the attack has finished, or whether it is still in process and more losses will be revealed.
Rebecca Moody, head of data research at Comparitech, commented, “De-Fi platform Euler Labs has suffered a flash loan attack, with reports suggesting as much as $197 million has been stolen in total (figures are continually growing as this is updated).” She notes that this is the largest crypto hack of 2023 so far, and the eleventh largest of all time.
“It also takes the total lost in 2023 so far to more than $363 million with 43 attacks recorded so far,” she continued. “Flash loans account for 14 of these attacks and more than half of the funds stolen ($207.5 million).”
Euler was founded in September 2020 in London by Doug Hoyte, Jack Prior, and Michael Bentley (CEO). It has raised a total of $40.8 million over three rounds – the latest being a venture round (series undisclosed) in June 2022.
UPDATE, March 29: Coindesk now reports the hacker, calling himself ‘Jacob’, is returning the stolen money. Jacob doesn’t make the reason clear, and there is no official confirmation on Euler’s website. We will update this story if more relevant data becomes available.