UK crypto startup Euler Labs has suffered a devastating cyber-attack, in which threat actors managed to steal close to $200m from its DeFi lending protocol.
The firm provides a DeFi protocol on Ethereum that it claims allows users to lend and borrow almost any crypto asset.
However, yesterday hackers managed to exploit a vulnerability in its code which enabled them to steal around $199m in various digital currencies: USDC ($34.1m), Dai ($8.8m), Wrapped Bitcoin ($18.9m) and Staked Ether ($137.1m), according to blockchain analysis firm Elliptic.
“Flash loan attacks involve taking out large, short-term uncollateralized crypto loans from a DeFi service, and using the large sums involve to manipulate the market and other DeFi services in their favor,” the firm explained.
“The proceeds of the attack are already being laundered through Tornado Cash, a decentralized mixer that has been sanctioned by the US government.”
Read more about recent crypto theft here: Record $3.8bn Stolen Via Crypto in 2022
Elliptic said the funds used to carry out the attack came from a Monero wallet. Although Monero is a private coin which doesn’t have a public ledger of transactions associated with it, it is possible to track these funds using Elliptic’s investigation tools, the firm said.
For its part, Euler Finance said it immediately took action to try and contain the attack and engaged blockchain intelligence firms Chainalysis and TRM Labs, as well as the Ethereum security community, to try and recover the stolen funds.
The startup also shared information with UK and US law enforcers and even contacted its attackers “to see if we might learn more about our options.”
Euler Labs was also quick to point out that auditors had not managed to spot the vulnerability in previous analyses of its lending protocol.
“Euler Labs works with various security groups to perform audits of the Euler Finance protocol. While the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit,” it said.
“The vulnerability remained on-chain for eight months until it was exploited today, despite a $1m bug bounty being in place during that time.”