Malicious actors stole over $320 million of value from Web3 protocols across 207 separate incidents in Q1 2023.
This represents just over a third of the $950 million lost in Q4, and a quarter of the $1.3 billion lost in Q1 2022. Just one incident — the Euler Finance exploit at $197 million — represented over 60% of all value lost in Q1.
This highlights the asymmetrical rewards on offer for successful exploits of large protocols. Off-chain, Q1 has seen some significant events for the crypto industry.
From the shuttering of Silvergate Bank, one of the industry’s strongest links to the traditional finance industry, to the weekend de-pegging of USDC during the Silicon Valley Bank tumult. It’s been an eventful quarter, but that’s nothing new for crypto.
The Euler Finance Incident was the most significant of Q1. Euler Finance is “a non-custodial protocol on Ethereum that allows users to lend and borrow almost any crypto asset.” On 13 March, an attacker utilized flash loans to exploit multiple Euler Finance pools. They walked away with a total profit of approximately $197 million.
This incident alone more than doubles the total lost to all other security incidents in Web3 during the first quarter of 2023. Euler’s vulnerability lay within the `donateToReserves` function in the Euler Pool contracts.
This function lacks proper checking of the liquidity collateralization status, with the result being that a user can willingly abandon a portion of the leveraged deposit to leave the pool insolvent.
Using 20 million DAI obtained via a flash loan from Aave, the attacker created a highly leveraged position through the `mint` function of the Euler lending protocol.
The Mint function allows a user to create a recursive lending loop, minting equity and debt tokens, depositing the equity tokens, and then borrowing against them.
The attacker deposited the 20 million DAI and leveraged the Mint function to increase their position size ten times, to 200 million. They then repaid 10 million, which allowed them to leverage up again with another 200 million eDAI tokens.
By donating 100 million eDAI to the protocol, using the vulnerable ‘donateToReserves’ function, the attacker’s position was pushed into the liquidation range.
They then liquidated their own position and received the 20% bonus as per the functioning of the Euler platform.
