Euler Finance Exploit - March 14, 2023
Overview
A ~$200M attack struck Euler Finance, one of DeFi's established lending protocols, on March 14, 2023. The exploit ranked Euler at #6 on the REKT leaderboard, with its TVL plummeting from $264M to $10M.
What Happened
Peckshield identified the exploit as it was unfolding. The attacker extracted $197M in ETH, WBTC, USDC, and DAI across multiple transactions. An associated address later transferred proceeds through Tornado Cash.
Technical Root Cause
The vulnerability existed in the donateToReserves function, introduced via EIP-14 the previous year. This function permits users to send eTokens directly to Euler reserves but crucially lacked health checks on the donor's position.
> "The attack ultimately arose from an incorrect donation mechanism and did not account for the donator's debt health, permitting them to create an unbacked DToken debt that will never be liquidated."
Attack Vector
The exploiter deployed two contracts:
1. Debt Contract: Used flash-loaned funds and Euler's leverage system to create a substantial underwater position via donateToReserves, generating unbacked debt.
2. Liquidator Contract: Liquidated the bad debt position at a discount, acquiring inflated eToken collateral and withdrawing underlying assets.
Financial Impact
Total losses: $197M comprised of:
• 86k ETH derivatives: $134.6M
• 849 WBTC: $18.6M
• 34M USDC
• 8.9M DAI
Attacker's address: 0xb66cd966670d962c227b3eaba30a872dbfb995db
Affected projects (partial list):
• Angle Protocol: $17M+ agEUR collateral
• Balancer: $11.9M bbeUSD
• Temple DAO: $5M
• Idle DAO: ~$5M
• Swissborg: $4.3M combined
• Yearn: $1.38M indirect exposure
• Yield Protocol: $1.5M
• Inverse Finance: $800k
Remediation & Recovery
Sherlock (smart contract insurance) accepted responsibility for missing the vulnerability during EIP-14 review and paid a $4.5M claim to Euler.
Euler reached out to the attacker via transaction data. Eventually the attacker returned ~all funds (per follow-up reporting).
Example exploit transaction (DAI): 0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d