Understanding Smart Contract Vulnerabilities: A Case Study on the Euler Finance Hack

Published in

Coinmonks

4 min readSep 18, 2023

Disclaimer

This article, “Understanding Smart Contract Vulnerabilities: A Case Study on the Euler Finance Hack” was prepared as part of Ekolance’s smart contract audit training. It is intended for educational purposes only.

Important note:

4/6/23: Hacker returns stolen funds, marking one of the largest DeFi recoveries.

Introduction

On March 13, 2023, Euler Finance, fell victim to one of the largest DeFi attacks in 2023. Euler Finance is a permissionless lending/ borrowing DeFi protocol operating on the Ethereum network. Euler Finance is over collateralized lending platform that support any erc20 token. The attacker could steal $197M in ETH, WBTC, USDC and DAI through flashloan and price manipulation.

This attack is ranked as the 6th largest attack in crypto based on the rekt.new leaderboard, and Euler’s TVL dropped from $264M to just $10M. In addition to Euler itself (whose token, EUL, fell over 50%), the fallout affected many projects integrated with Euler.

Timeline of Events

In 11:59 AM (GMT+3) · Mar 13, 2023, PeckShield raised an alarm about suspicious activity happening in Euler Finance protocol. After one hour, Euler Labs acknowledged the exploit, stating they were “working with security professionals and law enforcement”.

Intro to Euler Finance Protocol

In order to better understand the incident, we need to understand some important information about the protocol and how it works.

“Euler is a non-custodial permissionless lending protocol on Ethereum that helps users to earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party” Euler doc.

Euler Protocol issues eToken and dToken whenever a user borrows /lends a token. When Euler protocol users perform lending or borrowing operations , they transact with two types of tokens: eTokens (which represent collateral) and dTokens (which represent debt).

Euler issues eTokens based on the types of funds deposited by users; dTokens automatically trigger on-chain liquidation when the platform holds more dTokens than eTokens.

The Euler protocol checks a user’s position on the platform “Health Score ‘’ by comparing the value of the user’s eTokens (collateral) to their dTokens (debt). If a user has a higher value of collateral compared to the debt, then the user is in a healthy position; otherwise, the user’s position may become subject to liquidation. This operation is called “liquidation checks’ ‘ and is very important for ensuring that the user can repay their debt and maintain the security of their assets.

When a position becomes under-collateralized, the platform can liquidate the user’s collateral to recover the debt. This process usually involves selling the collateral at a discount to incentivize liquidators to participate and facilitate the recovery of the debt.

Root Cause Analysis

In July 2022, Euler Finance team introduced eIP14, where the vulnerable code was introduced . The introduced changes were audited by Sherlock . This update has many changes but what we care about is the DonateToReserve function that enables depositing of eToken which basically burns eToken only , no dToken burn, leading to an incorrect conversion of borrowed assets to collateralized assets.

The attacker could perform his attack by leveraging the below features

Flash Loan
liquidity issue in the DonateToReserve function
liquidation discount of Euler Finance, check

Execution Flow ( reference ) :

1- Attacker gets 30 M DAI flash loan from Aave

2- Deploy Violator contract ( which would incur bad debt)

- Transfer the full 30m DAI loan balance to the violator
- Deposit 20m DAI to the DAI EToken of Euler Finance, receiving ~19,56m eDAI tokens
- Create a 200m artificial eDAI leverage, minting ~195,68m eDAI and 200m dDAI to the violator
- Repay 10m DAI on the violator’s position, causing their dDAI balance to go to 190m
- Create another 200m artificial eDAI leverage, minting ~195,68m eDAI and 200m dDAI to the violator
- Donate 100m eDAI to the reserve of the EToken

At this point, we have the following violator state:

eDAI: ~310,93m
dDAI: 390m

The liquidator will exploit this due to the calculations within the Liquidation module.

3- Deploy liquidator Contract:

- Liquidate the position, acquiring ~310,93m eDAI tokens and ~259,31m dDAI tokens
- Withdraw the full reserve of DAI tokens by burning the corresponding eDAI tokens on exchange rate of 0,97 eDAI per DAI

4- Repay the flash loan

5- Swap USDC and WBTC for DAI and ETH

Response and Mitigation

Euler reached out to the attacker’s address via tx input data:

We understand that you are responsible for this morning’s attack on the Euler platform. We are writing to see whether you would be open to speaking with us about any potential next steps.

Sherlock has taken responsibility for missing the vulnerability in their review of EIP-14 last year, and will pay a claim of $4.5M to Euler.
The hacker returned the stolen funds and apologized through a series of encrypted messages.

Lessons Learned

Testing for different simulated scenarios is crucial.
Pushing updates to smart contracts is so dangerous and should be carefully tested and reviewed. Any tiny modification might open many back doors for dangerous vulnerabilities.