Euler Finance Hack — March 2023

Euler Finance was a non-custodial money market on Ethereum that allowed permissionless listing of ERC-20 tokens as collateral and borrowable assets. Each market had associated risk parameters and a borrowing/collateralisation logic that referenced an internal account-health calculation.

On 13 March 2023 an attacker exploited a missing solvency check in the protocol's 'donateToReserves' function. By using flash-borrowed funds to manipulate their account state and donating to reserves before triggering liquidation, the attacker was able to extract approximately $197M of underlying assets — primarily DAI, USDC, stETH and wBTC.

The protocol immediately offered a 10% whitehat bounty for return of the remaining funds. Public on-chain messages between Euler and the attacker followed. On 18 March the attacker began returning funds in tranches; the process continued through 4 April. The final on-chain message from the attacker's address read: "I am sorry for the chaos and harm I have caused".

The motivation for the return has been the subject of considerable speculation. Public reporting later identified Chainalysis-led tracing efforts and direct contact between Euler's legal team and the attacker as factors. No public prosecution has been disclosed.