{"id":17383,"date":"2023-03-14T09:52:54","date_gmt":"2023-03-14T09:52:54","guid":{"rendered":"https:\/\/nftandcrypto-news.com\/crypto\/euler-finance-blocks-vulnerable-module-working-on-recovering-funds\/"},"modified":"2023-03-14T09:52:56","modified_gmt":"2023-03-14T09:52:56","slug":"euler-finance-blocks-vulnerable-module-working-on-recovering-funds","status":"publish","type":"post","link":"https:\/\/nftandcrypto-news.com\/crypto\/euler-finance-blocks-vulnerable-module-working-on-recovering-funds\/","title":{"rendered":"Euler Finance blocks vulnerable module, working on recovering funds"},"content":{"rendered":"
<\/p>\n
Decentralized finance (DeFi) lending protocol Euler Finance became a victim of a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023\u00a0so far. The lending protocol lost nearly $197 million in the attack and impacted more than 11 other DeFi protocols as well.<\/p>\n
On March 14, Euler came out with an update on the situation and notified its users that they had disabled the vulnerable etoken module to block deposits and the vulnerable donation function. <\/p>\n
The firm said that they work with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. The vulnerability was not discovered as part of the audit. <\/p>\n
\nOne of our auditing partners, @Omniscia_sec<\/a>, prepared a technical post-mortem and analysed the attack in great detail. You can read their report here:https:\/\/t.co\/u4Z2xdutwe<\/p>\n
In short, the attacker exploited vulnerable code which allowed it to create an unbacked token debt\u2026 https:\/\/t.co\/FGnPqvYUGB<\/p>\n
\u2014 Euler Labs (@eulerfinance) March 14, 2023<\/a><\/p><\/blockquote>\n
The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.<\/p>\n
Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.<\/p>\n
In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in \u201cdonateToReserves,\u201d a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.<\/p>\n
Related:\u00a0More than 280 blockchains at risk of \u2018zero-day\u2019 exploits, warns security firm<\/em><\/strong><\/p>\n
Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023.<\/p>\n
\nSimilarly, Sherlock stands behind every auditor who reviewed Euler. <\/p>\n
Sherlock initially worked with @cmichelio<\/a> to audit the first version of Euler in Dec 2021, then with @shw9453<\/a> to audit a very small update in Jan 2022, and finally with @WatchPug_<\/a> to audit EIP-14 in July 2022.<\/p>\n