Full Report
When handling loans in the land of DeFi, extra considerations need to be taken compared to the real world. There are two main parties with loans: lender and borrower. The lender is the entity allowing a user to borrow their funds. The borrower is the entity using the other entities funds. In order to ensure the lender gets their money back, a user must provide collateral, otherwise known as an asset that can be kept if the value is not returned. To ensure that the borrower doesn't lose money, the borrower needs to provide more money than what they are borrowing. What if the asset of the collateral drops in value? The borrower has no incentive to give the money back, since the asset they borrowed is worth more. To prevent this problem, loans can be liquidated by the liquidator. The liquidator can pay back the lender of the original asset and purchase the collateral at a discount. Euler Finance protocol is a lending and borrowing DeFi protocol. The function for donation had a vulnerability in it that is very subtle. When making a donation, there is no check to see if the value being donated makes a loan underwater (bad). This can be abused to dramatically skew the loan. Now, the interesting part: since the loan is in a bad state, somebody can come and liquidate it. However, the discount on the collateral is proportional to how bad the state of the loan is. As a result, if we donate a large amount of our loan, the state of the loan will be drastically skewed. When the liquidator comes to purchase the assets back, the percentage discount can be pushed to 20%. From the attack, the author made 8.7M USD in funds by getting the very large discount on the liquidation. Overall, a really interesting post on a huge hack. The loan system explained in this post is super helpful as well.
Analysis Summary
# Incident Report: Euler Finance Flash Loan Liquidation Exploit
## Executive Summary
Euler Finance was targeted in a sophisticated flash loan attack that exploited a logic flaw in its `EToken::donateToReserves` function. The attacker used uncollateralized "donations" to intentionally put an account into a state of "bad debt," allowing them to liquidate themselves at a massive 20% discount. This resulted in a total loss of approximately $197 million across various assets (with the provided text highlighting an $8.7M segment of the attack).
## Incident Details
- **Discovery Date:** March 13, 2023
- **Incident Date:** March 13, 2023 (approx. 08:50 UTC)
- **Affected Organization:** Euler Finance
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Distributed (Blockchain-based)
## Timeline of Events
### Initial Access
- **Date/Time:** 2023-03-13 08:50 UTC
- **Vector:** Smart Contract Interaction (Flash Loan)
- **Details:** The attacker utilized a 30M DAI flash loan from Aave V2 to provide initial liquidity for the exploit.
### Lateral Movement
- **Mechanism:** The attacker deployed and moved funds between a "Primary" contract, a "Violator" contract, and a "Liquidator" contract to manipulate internal protocol accounting across separate sub-accounts.
### Data Exfiltration/Impact
- **Assets Stolen:** The attacker drained millions in DAI and other assets (e.g., WBTC, WETH, USDC) by exploiting the liquidation discount mechanism. Total losses across the incident were nearly $200 million.
### Detection & Response
- **Discovery:** On-chain monitoring tools and security researchers detected anomalous, high-value liquidation transactions.
- **Response Actions:** The protocol was paused where possible; post-mortem analysis was initiated by security firms like Omniscia to identify the root cause in the eIP-14 upgrade code.
## Attack Methodology
- **Initial Access:** Smart contract interaction via an anonymous wallet.
- **Persistence:** Not applicable; the attack was atomic (executed within a single block/transaction).
- **Privilege Escalation:** Exploited the `donateToReserves` function to bypass health checks, effectively overriding standard borrowing limits.
- **Defense Evasion:** Used flash loans to hide the source of initial capital and used multiple intermediary contracts.
- **Impact:** Intentional creation of "bad debt" to trigger a liquidation event with a maximum (20%) discount.
## Impact Assessment
- **Financial:** Total protocol loss of ~$197 Million USD; the specific DAI transaction described accounted for $8.7M in profit.
- **Data Breach:** None (Financial theft only).
- **Operational:** Euler Finance protocol operations were effectively halted; the "bad debt" left the protocol insolvent for affected pools.
- **Reputational:** Significant loss of trust in the protocol's upgrade process (eIP-14).
## Indicators of Compromise
- **Network Indicators:** Calls to Euler Finance `EToken` and `Liquidation` modules from unknown contracts.
- **File Indicators:** Attack Transaction Hash: `0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d`.
- **Behavioral Indicators:** Patterns involving `mint` -> `donate` -> `liquidate` within a single transaction.
## Response Actions
- **Containment:** Euler team worked with security partners to analyze the vulnerable eIP-14 contract upgrades.
- **Eradication:** Identification of the missing health check in `EToken::donateToReserves`.
- **Recovery:** (Beyond article scope) Negotiating with the attacker for fund returns.
## Lessons Learned
- **The Danger of "Subtle" Features:** The donation function seemed benign but lacked critical "health check" logic required for any function that alters an account's collateral-to-debt ratio.
- **Impact of Artificial Leverage:** Allowing users to mint/deposit in the same transaction can create massive uncollateralized positions if liquidation logic is flawed.
- **Upgrade Complexity:** The vulnerability was introduced during a complex upgrade (eIP-14). New features in DeFi must be audited specifically for their impact on existing liquidation math.
## Recommendations
- **Universal Health Checks:** Implement a mandatory "checkAccountStatus" modifier on every function that can decrease a user's `EToken` balance or increase their `DToken` balance.
- **Liquidation Caps:** Review and potentially cap the maximum discount allowed during liquidation to prevent extreme profit incentives for self-liquidation.
- **Formal Verification:** Use formal verification for mathematical logic involving protocol-wide "bad debt" scenarios.