Unidentified cybercriminals managed to boost nearly $200 million from the decentralized finance lender Euler Finance on Monday. The attack, which stole millions in crypto assets like DAI and USD Coin, is being hailed as the biggest crypto hack of the year so far. If this year is anything like 2022, when hackers stole more than $3 billion in crypto, the Euler theft certainly won’t be the last.
Euler, which refers to itself as a team of software engineers “specialising in the research and development of financial applications,” is the developer behind a “capital-efficient permissionless lending protocol” that the company says helps users “earn interest on their crypto assets or hedge against volatile markets without the need for a trusted third-party.” Unfortunately, a trusted third-party might have actually been kind of useful when it came to defending users’ assets from whoever just hijacked them by the armful.
One of the first to spot the attack was Peckshield, a blockchain security company that is known for flagging irregular asset transfers. On Monday, Peckshield tweeted out a link showing abnormally high transfers from Euler:
Euler confirmed it knew about this, replying: “We are aware and our team is currently working with security professionals and law enforcement.”
Later on Monday, Euler tweeted: “We continue to investigate this morning’s unlawful extraction of funds from the Euler protocol. The Euler Labs team has taken several immediate actions to attempt to recover the funds and identify exactly what happened, including contacting and sharing information with law enforcement, and working with independent third-party auditors and security firms.”
Another blockchain security company, SlowMist, has deduced that the theft was carried out using what is known as a “flash loan attack.” Such attacks use sophisticated manipulation of a crypto lender’s smart contracts to borrow massive amounts of crypto without having to front any collateral.
That said, it’s unclear what law enforcement can actually do in this case or whether users will inevitably get their money back. Like a lot of other crypto heists of recent memory, victims may be up the proverbial creek without a paddle.