Lack of checking liquidity the donateToReserves() function
https://twitter.com/BlockSecTeam/status/1635204706703384577 https://twitter.com/pcaversaccio/status/1635210680130486272 https://twitter.com/zachxbt/status/1635209310916743170 https://twitter.com/FrankResearcher/status/1635241475989721089 https://email@example.com/euler-finance-incident-post-mortem-1ce077c28454
Days in Operation:
100 pts each
Euler is a non-custodial protocol on Ethereum that allows users to lend and borrow almost any crypto asset. Euler Finance was attacked and at least $177M was taken in ~96,833 $ETH ($153M) and ~34M $DAI as well as WBTC and USDC.
According to ZachXBT, attacker also exploited some random protocols and deposits the stolen funds into Tornado Cash (https://etherscan.io/address/0xb1546454219ccf4202c91024943321e8c92f509d).
The attacker exploited vulnerable code which allowed it to create an unbacked token debt position by donating funds to the protocol’s reserves. As a result, the attacker was able to liquidate these underwater accounts and profit from the liquidation bonuses.
Stolen funds were sent to Tornado Cash thru. an intermediary address.
As of 4/3/2023, the exploiter has returned most of the funds (90%).
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.