(Bloomberg) -- Decentralized lending protocol Euler Finance was hit by an attack that drained $197 million in cryptocurrencies from its platform on Monday, making it the largest hack in its corner of the digital-assets market this year.
The bulk of the hacker’s loot — worth roughly $135 million — was denominated in staked Ether tokens (stETH), while the remainder was held in wrapped Bitcoin and stablecoins DAI and USDC, according to security firm BlockSec. Some of the proceeds from the attack are already being laundered through Tornado Cash, a US-sanctioned platform which enables users to obfuscate their transaction history, security companies PeckShield Inc and Elliptic said.
The incident on Monday morning in London has almost wiped out Euler’s on-chain value, leaving only around $9.7 million locked on the platform, data from DeFiLlama show. Euler Finance allows users to lend and borrow large amounts of cryptoassets through an automated service that does not require human intervention. The protocol’s EUL token fell more than 50% to a low of $2.88 after the attack was disclosed, according to pricing data from CoinGecko.
Details of the hack weren’t immediately provided by the platform’s developer Euler Labs.
“We continue to investigate this morning’s unlawful extraction of funds from the Euler protocol,” Euler Labs said in a tweet on Monday. Euler Labs didn’t immediately respond earlier to requests for comment from Bloomberg.
Hacks have plagued the cryptocurrency sector over the past year, with decentralized finance platforms emerging as prime targets. DeFi protocols operate with limited daily oversight from humans, instead relying on lines of open-source code to automatically execute transactions. This leaves them vulnerable to flaws that can be exploited, making it harder for teams to stop hackers in their tracks.
Attacks on DeFi protocols accounted for $3.1 billion or 82.1% of all cryptoassets stolen by hackers in 2022, according to Chainalysis.
- Read more: Understanding Crypto Bridges and $1 Billion in Thefts: QuickTake
Euler Finance offers its users so-called “flash loans,” which allow traders to borrow large amounts without posting a lot of collateral under the agreement that they’ll repay the loan almost immediately. It’s a popular tool among arbitrage traders looking to benefit from tokens having different prices across exchanges, as the loan’s process of borrowing, trading and repayment all happens in the same transaction.
While Euler has yet to clarify exactly how the exploit happened, analysts pointed to its flash loans as a potential vector. In this instance, a flaw in Euler’s code allowed the attacker to simulate fake debt on the platform and then make off with the reward once those loans were liquidated, according to security firm Hexagate.
Flash loans have been a popular focus of hacks in the past. DeFi platform Beanstalk suffered a total loss of around $182 million thanks to a flaw in its flash-loans code in April last year, while in 2021 Cream Finance and Alpha Homora lost $130 million and $37 million respectively in a similar manner.
- Read more: Flash Loans Are Providing Instant Cash to Crypto Speculators
The incident at Euler is the latest blow to the battered crypto sector, following the recent shutdown of several crypto-friendly US banks in the last week which left multiple major digital-asset companies exposed. Those collapses have capped off months of bankruptcies, scandals and layoffs among crypto companies, triggered by a rout in digital asset prices.
UK-based Euler Labs was founded in 2020 and has raised more than $40 million to date from investors including Haun Ventures, Coinbase Global Inc. and Jump Crypto, according to information compiled by PitchBook.
(Updates with comment from Euler in the fifth paragraph.)
©2023 Bloomberg L.P.