Euler Finance hacked despite 10 audits in 2 years, says CEO
Ten separate audits conducted over two years on the Ethereum-based lending protocol Euler Finance deemed it “nothing higher than low risk” and had “no outstanding issues” before it suffered from a $196 million attack.
In a series of tweets on March 17, Euler Labs CEO Michael Bentley described the “hardest days” of his life after Euler’s $196 million flash loan attack on March 13.
He retweeted one user sharing information that Euler had 10 audits from 6 different firms, commenting that the platform “has always been a security-minded project.”
Euler has always been a security-minded project. The Euler smart contracts, including the vulnerable lines of code, were audited.https://t.co/SvNeoKEGuY
— Michael Bentley (@euler_mab) March 16, 2023
Blockchain security firms, including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica, conducted smart contract audits on Euler Finance from May 2021 to September 2022.
Halborn ranked its risk assessment by measuring the “likelihood of a security incident” and the impact it may have, with the risk level ranging from very low and informational to critical. Euler received “nothing higher than low risk.”
It was revealed in a December 2022 summary of Halborn’s audit that it had found “an overall satisfactory result.”
The summary stated 23 smart contracts were “inspected and analyzed” by Halborn over a one-month period, of which only “two low risks and three informational” risks were identified.
Euler stated it had reviewed Halborn’s coverage and concluded the risks “pose no significant threats.”
Blockchain security firm Omnisica addressed some “incorrect paradigms” in Euler’s base swapper implementation and how the swap mode was “handled by the codebase.” However, the report stated that Euler had “properly dealt” with these issues, with “no outstanding issues” remaining.
Related: Euler Finance blocks vulnerable module, working on recovering funds
On March 16, the protocol’s hacker began moving funds through crypto mixer Tornado Cash only hours after a $1 million bounty was launched by Euler for information leading to the hacker’s arrest.
In his recent Twitter thread, Bentley said he’d never “forgive the attacker” as he was forced to “sacrifice time” with his newborn son due to the attack but thanked security experts who are “working on leads” for the investigation.
Only 24 hours before the bounty, Euler issued a warning saying it would launch one “that leads to your arrest and the return of all funds” if 90% of the fund were not returned within 24 hours.