The latest hack, which cost DeFi platform Euler Finance $197 million, was the crypto industry’s biggest so far this year. The hackers remain unknown but have started returning the money.
On Saturday, March 18, the hackers sent about 3,000 ether (about $5.4 million) to Euler Finance’s wallet address, CoinTelegraph writes. Blockchain analyst PeckShield reported that the coins were sent in three transactions of 1,000 ether each.
Hackers are unlikely to return the full amount
The chances of the hackers returning the entire amount are very slim. At the time of publication, no further transactions had taken place.
On March 16, the lending platform offered a $1 million reward for information that would help track down the hackers or the stolen money. The coins were laundered via crypto mixer Tornado Cash shortly after the reward was announced.
Sophisticated flash credit attack
On March 13, the hackers carried out a sophisticated attack via Flash Loans from Euler. Michael Bentley, CEO of Euler Labs, described the days following the attack as “the most difficult” of his life in a series of tweets on March 17.
The credit protocol was exploited through a vulnerability. The hackers only carried out four transactions, using inUSD Coin, the stablecoin DAI, Wrapped Bitcoin (wBTC) and staked Ether (sETH).
The attackers fooled the DeFi platform into holding very little eToken, Euler’s security token, and more dToken, Euler’s debt token. Euler issues dTokens to trigger a liquidation on the blockchain when the platform holds more dTokens than eTokens.
Platform was hacked despite 10 audits in 2 years
Before losing $196 million in the attack, multiple auditors rated Euler Finance as “low risk”. The credit protocol was subjected to ten different reviews by six independent companies over a period of two years.
It was determined that there were “no unanswered questions”. One user even tweeted that it had “always been a security-conscious platform.”