Euler Finance, an Ethereum-based lending protocol, underwent 10 audits from six different blockchain security firms between May 2021 and September 2022. The audits ranked the risk assessment of the platform, measuring the “likelihood of a security incident” and the impact it may have. The risk level for Euler ranged from very low and informational to critical, with none deemed “nothing higher than low risk” with “no outstanding issues.” Despite the extensive audits, Euler suffered a $196 million flash loan attack on March 13, 2023.
In response to the attack, Euler Labs CEO Michael Bentley described it as the “hardest days” of his life in a series of tweets on March 17. He retweeted a user sharing information that Euler had undergone ten audits, commenting that the platform “has always been a security-minded project.” Euler had also issued a warning only 24 hours before launching a $1 million bounty for information leading to the hacker’s arrest, stating that it would launch a bounty “that leads to your arrest and the return of all funds” if 90% of the funds were not returned within 24 hours.
Despite the audits, Euler’s attacker began moving funds through crypto mixer Tornado Cash on March 16, only hours after the bounty was launched. In his Twitter thread, Bentley expressed his frustration at the attack and the sacrifices he had to make as a result, including time with his newborn son. However, he also thanked the security experts who are “working on leads” for the investigation.
While some blockchain security firms, such as Omnisica, found and addressed some “incorrect paradigms” in Euler’s base swapper implementation and how the swap mode was “handled by the codebase,” the audits concluded that Euler had “properly dealt” with these issues, with “no outstanding issues” remaining. Halborn’s audit summary in December 2022 also stated that it had found “an overall satisfactory result.”
In conclusion, Euler Finance’s 10 audits from six different blockchain security firms in two years did not prevent a $196 million flash loan attack. Despite the audits deeming the platform “nothing higher than low risk” with “no outstanding issues,” the attacker was able to move the funds through crypto mixer Tornado Cash only hours after Euler launched a $1 million bounty for their arrest. The investigation into the attack is ongoing.