How Damaging Was the Euler Hack to DeFi’s ‘Money Legos’ Promise?
DeFi faced its very own contagion event this past week after Euler Finance was drained of nearly $200 million via six flash loans and a vulnerability.
It was a major blow to the sector; Euler had been seen as the next great building block after Compound and Aave.
Beyond flinging long-tail assets into the protocol and gambling risk à la Cream Finance, the popular crypto lender created isolated lending pools to help silo collateral damage should degens borrow against the wrong memecoin.
Now, though, the whole ship is sunk.
It’s not just that: along with Euler, roughly 10 other DeFi protocols were affected thanks to the various integrations established along the way. Yield App, Swivel Finance, Angle, and several others all announced their level of exposure to their communities.
Ironically, this ability to clip and connect various liquidity pools and lending platforms throughout the ecosystem was one of the key pillars of DeFi.
Composability, the devs called it. Money legos, yelled the meme gurus.
“Composable protocols are the backbone of DeFi and blockchain technology in general and they are a super power for builders and users,” OpenZeppelin’s solutions developer Gustavo Gonzalez told Decrypt. “But like any super power they also present risks that need to be taken into account when designing and developing a smart contract system.”
Tuesday’s events revealed precisely how those risks can snowball into pandemonium.
“The exploit of Euler Finance and the inherent impact on more than ten DeFi protocols who relied on Euler Finance shows us the other side of composability,” yield protocol Spool’s head of risk Hendo Verbeek told Decrypt. “Contagion by extension, which is even sourer given that a healthy part of the DeFi user base has a limited understanding when it comes to how protocols use each other.”
Indeed, many degens felt blindsided by the hack. After all, Euler had undergone six different audits from some of the leading software auditing firms in the game.
So, what happened?
It initially appeared that there were several changes made to the underlying smart contracts that were not audited, suggesting that these precise changes had led to the protocol’s vulnerability. In its post-mortem, however, Euler explained that “while the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit.”
Euler Labs works with various security groups to perform audits of the Euler Finance protocol.
While the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit.
The vulnerability remained on-chain for eight… https://t.co/M3PYSOwHhL
— Euler Labs (@eulerfinance) March 14, 2023
It’s clearly a messy process for the auditing group in question, and the person behind Officer’s Notes, an anon Twitter account that tracks hacks and opsec in the crypto world, told Decrypt that the industry is still waiting for a standard security process.
While the industry waits for said standard, projects should be actively combining audits and go heavy on the bug bounties, “which will end up being cheaper for a company/protocol/project that needs to have their smart contracts checked,” they said.
Euler’s has to be one of the biggest losses in DeFi for some time. Still, it’s not over yet for the money lego narrative, said OpenZeppelin’s Gonzalez.
“It’s only another reminder as to why security is difficult and monitoring is important,” he said.
DeFi is far from over—you just need to know where to look.
How did DeFi do during the banking chaos?
As Circle was reeling with $3.3 billion locked up in a bank that was slowly sinking, its stablecoin plummeted as low as $0.87.
Many degens punted at this pico bottom, borrowing USDT against ETH to scoop up the discounted token, and have since reemerged victorious.
Others cut their losses and fled to more decentralized pastures.
The market cap for Maker’s DAI was one big winner in all this. Though its backing is primarily made up in USDC, and it too fell off its peg, the market capitalization for the largest decentralized stablecoin soared and has stuck there.
Likewise for Liquity’s LUSD and the lesser-known RAI. Each of these stablecoins served up relatively safe decentralized alternatives when SVB hit the fan.
And as they were scrambling for the exits, platforms that offered the best deals on broken stablecoins hit new record volumes (and earned their liquidity providers a pretty penny in the process).
In the heat of the depegging, Curve Finance posted volumes of $6.03 billion.
During the week of March 11, Uniswap did nearly double that across its WETH-USDC, USDT-USDC, and DAI-USDC pools.
In the end, it certainly wasn’t a win for DeFi. But it’s still here, and clearly, traders still need it.
For now, perhaps that’s enough.
Editor’s note: This article was updated on March 18, 2023, at 6 pm ET to show that the vulnerable code in question was audited but not discovered. A previous edition reported the newly-added code had not been audited.