Euler Finance’s $197M Hack: A Protocol’s Worst Nightmare
In March 2023, Euler Finance, a star in decentralised finance (DeFi), faced a crisis that threatened its existence. An attacker syphoned $197 million overnight through a flaw hidden in its code. The breach stunned users and experts alike, raising urgent questions: Could a platform once deemed secure recover? And why did the hacker return most of the funds?
The answers reveal a high-stakes drama involving cutting-edge tech, tense negotiations, and a team’s grit to rebuild. Even audited protocols, it turned out, weren’t immune to collapse.
The Flaw That Fueled a $197M Heist
The attack hinged on a single line of code. Months earlier, Euler’s developers had patched a minor bug. Unknowingly, they left a vulnerability in the “donateToReserves” function, which let users transfer assets to the protocol’s reserves. Hackers exploited this gap using flash loans, uncollateralised, instant loans repaid within seconds.
First, the attacker borrowed $30 million in DAI from Aave, another DeFi giant. They deposited $20 million into Euler, then manipulated the system to borrow ten times that amount. By donating inflated assets to reserves, they tricked the protocol into marking their debt as “unhealthy.” This triggered lucrative liquidation rewards, netting $8.87 million in profit in one transaction. Repeating this across pools, they stole $197 million.
Ironically, the code had passed six audits. “DeFi is the most hostile environment for building apps,” Euler CEO Michael Bentley later admitted.
The Hacker’s Change of Heart
Initially, the attacker seemed unstoppable. They laundered funds through Tornado Cash, a crypto mixer, and even sent $167,000 to a wallet linked to North Korea’s Lazarus Group. Yet within days, an unexpected shift occurred.
Euler’s team offered a deal: return 90% of the funds, or face legal action. Surprisingly, the hacker complied. Starting March 18, they returned $5.4 million in ETH. A week later, $89 million followed. By April 3, 84% of the stolen assets were recovered.
In an on-chain message, the hacker, a 20-year-old Argentinian using the alias “Jacob” apologised to Bentley, a new father at the time. “I wanted to prove I could exploit DeFi,” he confessed. Due to rising ETH prices, Euler recovered $240 million, which was $43 million more than stolen.
The hack’s aftermath was brutal. Euler’s token (EUL) crashed 44%, employees were laid off, and trust evaporated. Bentley faced a choice: relaunch the patched original or bet on an overhaul.
At a 2023 offsite in Spain, the team designed Euler v2, a modular toolkit letting developers customise lending platforms. “We healed together,” Bentley said. They spent seven months and millions on 45 audits by 13 firms. When v2 launched in September 2023, it prioritised security and flexibility.
The gamble worked. By mid-2024, Euler’s deposits hit $387 million, with borrowed funds pushing it to $693 million. Among DeFi’s top 100 protocols, only three grew faster monthly.
Surviving DeFi’s “Hostile Environment”
Euler’s revival defies norms. Most hacked protocols fade, but v2’s success highlights lessons learnt. Bentley credits transparency and relentless security focus. “Fragilities get exposed, leading to robust systems,” he told DL News.
Yet risks linger. Competitors like Aave dominate with $27 billion in deposits. “Size matters; liquidity attracts more users,” Bentley admitted. Still, Euler’s growth amid market crashes proves resilience.
A Wake-Up Call for DeFi
The hack exposed critical gaps. Audits, while vital, aren’t foolproof. The flaw in “donateToReserves” slipped past experts, underscoring the need for real-time monitoring and layered checks.
For DeFi users, Euler’s saga offers hope and caution. While protocols can rebound, vigilance is non-negotiable. As Bentley warns, “It’s easy to focus on the bad, but these systems evolve through crisis.” Two years later, Euler stands taller, a testament to defiance in DeFi’s volatile arena.
