Impact From Euler Exploit
Euler protocol suffered a $191M exploit, ranking it among the top 10 DeFi hacks. Projects relying on Euler for yield were also impacted, showcasing the downsides of composability as risks spread across DeFi. Some projects may now face systemic risks going forward.
The exploit
As explained by @FrankResearcher, the exploit was due to a lack of liquidity-checking in the protocol's donateToReserves() function. This weakness was exploited through a series of well-coordinated actions that resulted in the theft of millions of dollars in various tokens.
The attacker exploited this weakness by donating assets to the reserves, creating unhealthy positions, and later liquidating them and profiting from liquidation bonuses. In Euler's design, riskier loans yield greater rewards, which increased the attacker's gains even further.
It was later discovered that, despite multiple audits, Euler's vulnerable function was introduced after they were completed. As a result, the vulnerability remained undetected and unaudited. A subsequent audit focused on the SwapHub module but did not address the main issue.
On-chain analysis reveals the donateToReserves() function was only used by the attacker and the Euler team, and never by external accounts or other protocols. The Euler team implemented this change to simplify integrations and allow users to eliminate dust for gas refunds. However, it is evident that the vulnerability it created far outweighed the potential benefits, which were estimated at $10,000 in gas savings.
Following the exploit's discovery, the $cbETH pool experienced a surge in activity. This was because it was the only pool left to borrow assets from with existing collateral, causing the utilization rate to spike to the maximum ratio of 95%.
This anomaly may be attributed to $cbETH's built-in blacklist function, which allows the freezing of assets. It is likely that this function prevented the pool from being exploited, as the attacker's funds would be frozen and inaccessible.
Impact on other protocols
The Euler exploit had far-reaching consequences for various protocols in the DeFi landscape. This chart illustrates the financial impact on them, with Angle being hit the hardest, followed by Balancer, Idle Finance, and TempleDAO.
The chart highlights the composability of DeFi. While it offers numerous benefits, it is important to understand that it also spreads risk in an often overlooked way.
Protocols may feel inclined to cover the exploit losses by sourcing it from their treasuries. However, examining their financial health reveals that it may not be feasible.
By comparing the exploit amount to the liquidatable treasury (excluding own tokens), it is evident that most protocols aren't in a strong position to cover the losses, as the exploit losses significantly exceeds available treasury funds.
If protocols were to sell their own tokens, the large reserves and low liquidity could cause a crash in token prices, worsening the situation even further. Should the exploiter not return them, it appears more likely that users will ultimately bear the losses.
Angle Protocol
With this in mind, let's take a closer look at Angle Protocol, which will face the most significant losses and face considerable challenges going forward due to the Euler exploit.
Angle protocol, the issuer of $agEUR - the largest and most liquid Euro stablecoin, has taken a significant hit. Its stablecoin reserves were largely impacted by the hack, resulting in a total loss of $17.6M.
The Core module, responsible for issuing $agEUR in an over-collateralized way, relies on its reserves to maintain the stablecoin's peg. However, the significant loss from the hack has led to a 30% shortfall in these reserves.
As a result, $agEUR has deppeged and currently trades at a considerable discount, reflecting the impact of the exploit on the protocol. Redemptions have been suspended therefore to mitigate further damage until the Euler hack situation unfolds and a resolution is found.
Over the weekend, the exploiter surprisingly returned $5.8M, sparking rumors of a whitehat hacker behind the attack. This has boosted public confidence that the stolen funds may be returned, and, as a result, $EUL price surged by 80% following the news.
Should the funds be returned, it is expected that the $agEUR peg will be restored, and the $ANGLE token would also recover. By addressing the reserve shortfall, the protocol would be able to resume redemptions, subsequently regaining stability and rebuilding users’ trust.
Yield Protocol
Another protocol significantly impacted by the exploit is Yield, which was fully built on top of Euler As a result of the hack, Yield has lost almost all of its Ethereum TVL and has been paused, highlighting the extent of the domino effect caused by the security breach.
The Euler exploit and its ripple effects across multiple protocols highlight the importance of strong risk assessment and security audits in DeFi. The interconnected nature of these protocols can magnify the impact of a single exploit, leading to significant financial losses.