The March 13 flash loan attack against Euler Finance resulted in over $195 million in losses. It caused a contagion to spread through multiple decentralized finance (DeFi) protocols, and at least 11 protocols other than Euler suffered losses due to the attack.
Over the next 23 days, and to the great relief of many Euler users, the attacker returned all of the exploited funds.
But while the crypto community can celebrate the return of the funds, the question remains whether similar attacks may cause massive losses in the future.
An analysis of how the attack happened and whether developers and users can do anything to help prevent these kinds of attacks in the future may be helpful.
Luckily, Euler’s developer docs clearly explain how the protocol works, and the blockchain itself has preserved a complete record of the attack.
How Euler Finance works
According to the protocol’s official docs, Euler is a lending platform similar to Compound or Aave. Users can deposit crypto and allow the protocol to lend it to others, or they can use a deposit as collateral to borrow crypto.
The value of a user’s collateral must always be more than what they borrow. Suppose a user’s collateral falls below a specific ratio of collateral value to debt value. In that case, the platform will allow them to be “liquidated,” meaning their collateral will be sold off to pay back their debts. The exact amount of collateral a user needs depends upon the asset being deposited vs. the asset being borrowed.
eTokens are assets, while dTokens are debts
Whenever users deposit to Euler, they receive eTokens representing the deposited coins. For example, if a user deposits 1,000 USD Coin (USDC), they will receive the same amount of eUSDC in exchange.
Since they become worth more than the underlying coins as the deposit earns interest, eTokens don’t have a 1:1 correspondence with the underlying asset in terms of value.
Euler also allows users to gain leverage by minting eTokens. But if they do this, the protocol will send them debt tokens (dTokens) to balance out the assets created.
For example, the docs say that if a user deposits 1,000 USDC, they can mint 5,000 eUSDC. However, if they do this, the protocol will also send them 5,000 of a debt token called “dUSDC.”
The transfer function for a dToken is written differently than a standard ERC-20 token. If you own a debt token, you can’t transfer it to another person, but anyone can take a dToken from you if they want to.
Related: Liquidity protocol Sentiment exploited for over $500K
According to the Euler docs, a user can only mint as many eTokens as they would have been able to by depositing and borrowing over and over again, as it states, “The Mint function mimics what would happen if a user deposited $1,000 USDC, then borrowed $900 USDC, then redeposited that $900 USDC, to borrow $810 more USDC, and so on.”
Users liquidated if health scores drop to 1 or below
According to a blog post from Euler, each user has a “health score” based on the value of the eTokens held in their wallets vs. the value of the dTokens held. A user needs to have a greater dollar value of eTokens than dTokens, but how much more depends on the particular coins they are borrowing or depositing. Regardless, a user with enough eTokens will have a health score greater than 1.
If the user barely falls below the required number of eTokens, they will have a health score of precisely 1. This will subject them to “soft liquidation.” Liquidator bots can call a function to transfer some of the user’s eTokens and dTokens to themselves until the borrower’s health score returns to 1.25. Since a user who is barely below the collateral requirements will still have more collateral than debt, the liquidator should profit from this transaction.
If a user’s health score falls below 1, then an increasing discount is given out to the liquidator based on how bad the health score is. The worse the health score, the greater the discount to the liquidator. This is intended to make sure that someone will always liquidate an account before it accumulates too much bad debt.
Euler’s post claims that other protocols offer a “fixed discount” for liquidation and argues why it thinks variable discounts are superior.
How the Euler attack happened
Blockchain data reveals that the attacker engaged in a series of attacks that drained various tokens from the protocol. The first attack drained around $8.9 million worth of Dai (DAI) from the Dai deposit pool. It was then repeated over and over again for other deposit pools until the total amount was drained.
The attacker used three different Ethereum addresses to perform the attack. The first was a smart contract, which Etherscan has labeled “Euler Exploit Contract 1,” used to borrow from Aave. The second address was used to deposit and borrow from Euler, and the third was used to perform a liquidation.
To avoid having to repeatedly state the addresses that Etherscan has not…
cointelegraph.com