A Cryptocurrency Whitehat Discovers Vulnerability Leading to $200 Million Attack
A pseudonymous whitehat, known as Kankodu, recently announced that they had submitted a bug bounty report that inadvertently introduced a vulnerability on Euler Finance. This vulnerability resulted in a devastating $200 million attack on the decentralized lending protocol in March. In a post on X (formerly Twitter), Kankodu explained that the fix they suggested for a bug ended up creating a feature responsible for the hack.
Understanding Euler Finance and eTokens
Euler Finance is a platform where users can lend assets and receive eTokens in return. These eTokens, like eDAI for DAI deposits, represent the deposited asset and any interest earned. The amount of eTokens received is determined by an exchange rate that considers the interest earned.
In July 2022, Kankodu reported the “first deposit bug” on Euler, which was a separate issue from the March incident. This bug could have allowed attackers to exploit Euler by artificially inflating exchange rates and withdrawing all tokens. Kankodu was rewarded $50,000 by the Euler team for discovering this bug.
Kankodu: A Crypto Whitehat and Ethical Hacker
Kankodu is a crypto whitehat, an ethical hacker, who ranks 17th on the web3 bug bounty platform Immunefi. They have submitted 28 paid reports and earned a total of $689,000. Their expertise in identifying vulnerabilities has contributed significantly to enhancing the security of various crypto projects.
The Fix and Its Unintended Consequence
To address the vulnerability, Euler implemented a feature where new eTokens started with a total supply and reserve of 1 million wei. This change made initial attacks economically unfeasible. However, for existing eTokens with reserves below 1 million wei, Euler introduced a function called “donateToReserves.” This function, intended to increase reserves, unintentionally created a larger vulnerability that was exploited in the $200 million attack.
Euler’s $200 Million Hack and Recovery
The attack on Euler resulted in a loss of nearly $200 million across multiple assets. This included staked ether (stETH), USDC, wrapped bitcoin (WBTC), and DAI. Flash loans, commonly exploited by attackers due to the lack of required collateral, were utilized in the attack.
Following the attack, Euler’s EUL token experienced a significant decrease in value. However, the attacker later returned $177 million in a series of transactions, accounting for the expected “recoverable funds” from the hack.
Hot Take: Vigilance and Collaboration Are Vital in Crypto Security
The incident involving Euler Finance highlights the importance of thorough security measures in the crypto industry. It emphasizes the need for constant vigilance, bug bounty programs, and collaboration between ethical hackers and project teams. By working together, the crypto community can strive towards creating a safer and more secure ecosystem for all participants.
By
By
By
By