Nearly $200m in crypto stolen in Euler Finance attack

3d illustration. Data storage service. Server room. Blockchain technology. Grid and lines. Hosting domain.
(Image credit: Shutterstock/Dmitriy Rybin)

Hackers stole almost $200 million worth of cryptocurrencies from the Euler Finance lending protocol, the media reported earlier this week. 

Euler is a non-custodial Decentralized Finance (DeFi) protocol on Ethereum that allows users to lend and borrow almost any crypto asset. The company behind the protocol, Euler Labs, confirmed the incident via Twitter, saying security professionals, as well as the police, have been brought in to investigate the matter. 

Per BleepingComputer, the incident exploited a poorly designed flash loan feature, allows users to borrow funds “in a flash”, and return them just as quickly. The feature had a vulnerability allowing the attackers to borrow a large sum of money without having to return its value to the service.

Wrapped BTC and Staked ETH

“The attackers use an exploit that allows them to manipulate the price of a token or asset on the platform during the few seconds that they hold the lent amount, so when the trade is complete, they are left with a massive profit,” the publication explained.

In this incident, the attackers stole $8.75 million in the DAI token, $18.5 million in WBTC (“wrapped” bitcoin - bitcoin on the Ethereum network), $33.85 million in USDC (a stablecoin whose value is pegged to the US dollar), and $135.8 million in stETH (staked ETH - a liquid staking derivatives token used to represent staked Ether on Lido (LDO)).

While the media are reporting that the funds are being monitored and that it will be difficult for the attackers to convert them into something they can use (and not get confiscated), blockchain analytics firm Elliptic says some of the stolen tokens already made it through the Tornado Cash mixer (in other words, they were laundered). 

Following the news, the Euler token (EUL) dropped in value from $6.2 to $3.1 at press time.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.