The $200M Euler Finance Hack

8 million dollars was just hacked from Euler, but the attacker left behind a strange message.

He claims to be a good guy, running a bot that merely frontran the real hacker.

The bot noticed the hacker’s transaction, copied it, and sent it out first.

He tried to return the money, but the contract can only send to an address already in bytecode.

Unfortunately, it sent the money to the hacker's address.

I tried my best and I am very sorry for anyone who lost money.

In the next 20 minutes, the real hacker attacked the protocol 5 more times, stealing a total

of 200 million dollars.

Euler was once a highly trusted protocol, having been thoroughly audited and embraced

by countless users.

The heartbreaking devastation of this massive hack has shattered that trust, leaving users

with nothing.

And it's not just users who were affected.

Many other protocols had funds in Euler.

Angle’s stablecoin depegged after it lost 17 million dollars.

Balancer rushed to pause its Euler Boosted Pools after losing 12 million.

And the list goes on.

Meanwhile, the hacker was relentless, depositing Ethereum into Tornado Cash, where it could

no longer be traced.

But there was a sign of hope.

Someone sent the hacker a message: Please consider returning the money.

I'm just a user that had my life savings deposited into Euler, I'm not a millionaire.

I’m completely destroyed.

you'll bring back joy to a lot of affected people.

An hour later, the hacker sent him 100 ETH.

But this was the only user who would be refunded, and the hacker continued to move the stolen

ETH out until they “accidentally” sent some to another wallet and abruptly stopped.

This is the Ronin Bridge Exploiter.

A year ago, the Ronin Bridge was hacked for 600 million dollars.

And the people behind it are linked to Lazarus, a North Korea-sponsored hacking group.

So, was the Euler hack just another North Korean hack?

Or was the hacker merely trying to deflect the blame?

Surely North Korea wouldn’t even have the mercy to refund a single user.

In reality, the hacker’s careless and sporadic behavior left a trail of hints.

This combined with infighting within the attacker's group hindered their ability to manage the

stolen money.

Let’s look at how the hack worked, why it worked, before finally, showing the incredible

and chaotic way Euler was able to recover all the money.

This is one of the largest digital heists ever, but it's also one of the most fascinating

tales of redemption.

Before we get to that, what is Euler? Euler Finance is a lending platform on the Ethereum blockchain

that allows users to lend and borrow almost any crypto asset.

But how does Euler trust borrowers to repay their loans, plus the interest?

The answer is they don't.

All loans are overcollateralized, meaning if you want to borrow some amount of money,

you first need to post at least that amount as collateral.

For example, if I deposit 100 dollars, I can borrow up to $82 of ETH, because we multiply

the collateral factor of USDC by the borrow factor of ETH to get 82%.

Let's borrow only $50.

I don't want to borrow too much because that could put me at risk of liquidation.

My health factor represents how far away I am from liquidation.

Now let's say ETH pumps and my health factor goes below one.

At this point, I'm borrowing more than my collateral allows me to.

Usually, I would get liquidated here for a fixed penalty.

However, one of Euler's innovations is a soft liquidation mechanism.

The penalty starts at 0% and increases by 1% for every point decrease in my health factor.

Let’s say it takes until 0.95 for a liquidator to liquidate me.

They would repay my ETH debt and receive my USDC for a 5% discount.

However, if your health factor keeps going down, it can reach the maximum 20% penalty.

And this is how the hacker was able to make so much money.

The hack drained six different tokens, but they all worked in the same way.

Let’s look at the first.

It starts by borrowing 30 million DAI through a flash loan from Aave.

A flash loan is a special type of loan anyone can take as long as they repay the money in

the same transaction.

Now that we have 30 million dollars, let’s deposit it into Euler.

Then, let’s borrow 390 million and deposit it right back.

Usually, DAI has a collateral and borrow factor that leads to a maximum of 75% loan to value.

However, Euler has a special mechanism for self-collateralized loans.

When your assets and debt are the same token, it bumps up your max loan to value to 95%.

Dividing our borrows by our collateral, we get a loan to value of 93% and a health factor

of 1.02 So everything is still perfectly legal on Euler.

We just have a highly self-leveraged DAI position.

Now, here is where the vulnerability comes into play.

Euler has a donate function that allows users to donate their collateral to the protocol

itself.

It was implemented because sometimes, if you have a very small balance, it can be cheaper

to donate the dust than withdraw it yourself.

However, this function lacks a critical security check: it doesn’t require the user’s health

factor to be above one afterward.

And this is the bug: it allows a user to donate into insolvency.

Back to our leveraged position, we now abuse this by donating 100 million.

Now, our health factor is 0.77 This lets us take another account and liquidate the violator,

earning the maximum 20% penalty.

Our deposits times 20% gives us a premium of 64 million dollars.

Finally, we repay the 30 million flash loan to net a profit of 34 million.

However, Euler doesn’t have that much money in its reserves, so we walk away with 8.9

million.

The hacker repeated this five more times to drain a total of 200 million dollars.

News of Euler's hack spread like wildfire.

With 200 million gone from the 250 million dollars in reserves, panic set in.

Users who deposited in the six hacked pools found themselves unable to withdraw their

money, but they could still leverage their collateral to borrow other tokens.

This started a massive bank run.

Depositors scrambled to borrow anything they could to offset their losses.

At first, they rushed to borrow Tether.

It’s interesting that the hacker didn’t target Tether because of the token’s non-standard

interface which would require additional work.

After the Tether reserves were quickly depleted, depositors then turned to borrow Coinbase

Staked Ether.

After one hour, almost every available asset was borrowed from Euler's reserves.

Euler is actually designed in a way to prevent bank runs.

When reserves go down, interest rates go up, incentivizing users to deposit or repay their

borrows.

However, this only works if Euler as a whole is financially sound.

But with 200 million now missing, even sky-high interest rates would have no effect on discouraging

these panic-driven borrows.

Unfortunately, some people fell for the trap.

They saw the massive three-figure interest rates on the hacked assets and deposited,

only for their deposits to be instantly withdrawn by another user.

Euler was audited, and its protocol was designed to be robust against manipulation.

Even if one asset is hacked, the damage is isolated.

However, Euler was hacked for a more benign reason: the donate function.

Remember this function didn’t check your health after donation.

So, this entire hack could have been prevented with a single line of code.

How did this simple bug go unnoticed for so long?

The hacker had 30 million dollars, then leveraged it to donate 100 million, more money than

he originally had.

But if you think about it, it’s never profitable to just donate Euler money.

Instead, the hack was only profitable because such an underwater position allowed the liquidator

to earn the max 20% penalty.

The unchecked donate function seemed harmless, until the combination of the liquidator bonus

made it deadly.

The Euler team tried to communicate with the hacker by sending him on-chain messages.

After no response, they demanded 90% of the funds and threatened to launch a one million

dollar reward for information that leads to his arrest and the return of all funds.

The next day, they sent another message.

The simplest way to move forward today is to return 90%.

Then investigations can be halted.

At this point, multiple victims begged the hacker for their money back, and he chose

to refund one user with 100 ETH after he said he had his life savings in Euler and was “completely

destroyed”.

That user was more than grateful, as he actually received more than he lost.

He returned the extra 12 ETH that doesn't belong to him.

The hacker kept moving ETH into another wallet as he had been doing for the past few days.

He sent them 100 ETH at a time, over and over, until he “accidentally” sent 100 ETH to

the Ronin Bridge Exploiter, which is linked to Lazarus, a North Korea-sponsored hacking

group.

This led to mass speculation over North Korea’s involvement in the Euler Hack.

But the next day, hope finally came.

The hacker sent Euler 1000 ETH, then again, and again.

The community celebrated as it looked like the hacker was finally returning the funds.

But then, the hacker sent Euler…

0 ETH.

Euler responded by thanking him.

“The original offer still stands if you would like to continue by returning the funds.

The reward for information will be removed immediately and all our investigations will

be dropped.”

But so far, he only returned 3000 ETH, a tiny part of what was stolen.

Was the hacker serious about returning the money, or was he just trolling again?

The answer came two days later when he said: We want to make this easy on all those affected.

No intention of keeping what is not ours.

Setting up secure communication.

Let us come to an agreement.

Message received.

Let's talk in private.

Looks like North Korea finally replied.

They sent the hacker 2 ETH along with this message: Decrypt with the private key of your

address.

So what was North Korea trying to say here?

We will probably never know, but people pointed out that this could be a trap.

It’s pretty suspicious if any piece of software wants you to enter your private key, especially

when the private key contains 200 million dollars.

Euler quickly tried to warn the hacker: Be very careful using that decryption tool.

The simplest way out here is to return funds.

Do not try to view that message under any circumstance.

Do not enter your private key anywhere.

Reminder that your machine may also be compromised.

Do NOT use the suggested decryption tool.

It has an old version of ellyptic, which has a vulnerability: Basically, if the hacker

signs a message and sends the encrypted content back to North Korea, they could reverse it

and their private key could be compromised.

North Korea is trying to phish the hacker.

However, the hacker knew better and replied that they still want to do the right thing

returning funds to the Euler team.

Will communicate shortly.

The hacker sent over an email that was likely registered on the same day.

Good news.

The hacker sent Euler 51,000 ETH.

He then posted a new email address.

Finally, he sent the rest of the funds evenly among four different wallets.

Let’s call them subwallets.

After receiving its share of the funds, subwallet 3 immediately returned most of the money to

Euler.

Then came a series of panicked messages.

email me ASAP will give up every thing about hacker for 15% email me ASAP will give up

every thing about hacker for 15% email me ASAP will give up every thing about the hacker

for 10% like offered.

Euler exploiter 3 here.. please just email me, will reply with info ASAP.. dont care

about buonty Euler exploiter 3 here.. please just email me, will reply with info ASAP..

dont care about buonty What’s really funny though is this email is hosted on tempumail.

While this was happening, I was able to log into the email and look around his inbox.

There was some pretty interesting stuff.

Like one person was extremely desperate and sent him 56 emails over the 56 ETH he lost

in the hack.

There were also some phishing emails that provided fake addresses for him to return

the money.

But one email caught my eye: one from the Securities and Exchange Commission.

It didn’t say much but pointed out that “We are watching you”.

I wanted to verify that this was a real email and not just another spoofed email, so I emailed

the guy.

He replied, warning me against the deliberate provision of false information with my company

and employees.

Hold on, I’m not the hacker.

But wait, is this even a real SEC email?

The domain sec.boston redirects to sec.gov, which is a real domain.

But then I realized that sec.boston was created that month on Namecheap.

So I don’t know but people are pretending to be the SEC.

Anyways, I think the Euler team was getting annoyed at this because they asked for another

non-temporary contact for private discussion.

The hacker then sent another email address.

To those at our inbox.

Disable your spam filters, else you will not see replies.

Thank you.

Subwallets 1, 2, and 4 start returning the money.

Along the way, subwallet 1 randomly sent this wallet 5 DAI and 0.05 ETH.

Then, that wallet sent 5 DAI to the DAI token itself.

I guess this is another one of their stupid trolls?

The rest of the money will be returned ASAP.

I only look after my safety, and that is the reason for the delay.

I'm sorry for any misunderstanding.

Please read my next message.

Jacob here.

I don't think what I say will help me in any way but I still want to say it.

I [messed] up.

I didn't want to, but I messed with others' money, others' jobs, others' lives.

I really [messed] up.

I'm sorry.

I didn't mean all that.

I really didn't [...] mean all that.

Forgive me.

In the end, the hacker returned nearly everything and didn’t even keep the aforementioned

10% bounty.

He’s mainly left with 1100 ETH that was deposited into Tornado Cash.

For legal reasons, it’s dificult for the Euler team to accept funds from Tornado Cash.

However, all crypto pumped from the time of the hack to recovery, so this made refunding

the victims tricky.

For example, what if someone had a short position on ETH before the hack, and because ETH pumped,

their position should have gotten liquidated, but didn’t.

Euler handled this by simulating a repayment of all debt at the time of the hack, then

valuing the position at the time of the refund.

Each user would then be entitled to claim a share of the recovered ETH, DAI, and USDC.

The way this was actually calculated was a bit more complicated, but overall, it wasn’t

as simple as refunding everyone 1:1.

There was some controversy over this, as some users ended up receiving more from their claims

than they had initially invested at the expense of others who received less.

To put it simply, longers lost money and shorters gained money.

But at the same time, longers made money anyways from the increase in prices.

Overall, it gets tricky how to value these things, and it was only a few percent of discrepancy

anyways.

Most users received roughly 100% of their losses and were more than happy to see their

funds recovered.

This was an incredible turnaround in the world of crypto, where hacks usually lead to irreversible

losses, and it’s all thanks to the Euler team.

As others have pointed out, the Euler recovery is a reminder to all would-be hackers that

it is very difficult to remain anonymous online if there’s a sufficiently skilled and motivated

group of people looking for you.

It took less than 24 hours after the attack before a significant amount of information

and a number of leads had been gathered by those investigating.

The investigation was a round-the-clock, painstaking exercise meticulously mapping both on-chain

and off-chain events leading up to and following the attack.

After several days tracing the attacker, public, and eventually private, lines of communication

with the attacker were opened.

While the attack itself showed a level of sophistication it quickly became clear the

attacker had made a potentially life-changing mistake Ultimately, after a period of lengthy

negotiation, they were convinced to do the right thing for Euler users.

The community-led investigation is now over as the focus turns towards the future.

I asked Euler if they will ever come forward with the details of how the hacker was caught.

They replied that It's a long and interesting story, but there's probably nothing good to

come from saying what they did.

Publishing anything would only hurt future efforts.

We may never know what really happened behind the recovery, but whatever they did, it worked.

And to me, that’s good enough.

Thanks for watching <3