The Unintentional $200M Euler Attack: A Bug Fix Gone Awry in Whitehats Perspective

The Unintentional $200M Euler Attack: A Bug Fix Gone Awry in Whitehats Perspective

A Cryptocurrency Whitehat Discovers Vulnerability Leading to $200 Million Attack

A pseudonymous whitehat, known as Kankodu, recently announced that they had submitted a bug bounty report that inadvertently introduced a vulnerability on Euler Finance. This vulnerability resulted in a devastating $200 million attack on the decentralized lending protocol in March. In a post on X (formerly Twitter), Kankodu explained that the fix they suggested for a bug ended up creating a feature responsible for the hack.

Understanding Euler Finance and eTokens

Euler Finance is a platform where users can lend assets and receive eTokens in return. These eTokens, like eDAI for DAI deposits, represent the deposited asset and any interest earned. The amount of eTokens received is determined by an exchange rate that considers the interest earned.

In July 2022, Kankodu reported the “first deposit bug” on Euler, which was a separate issue from the March incident. This bug could have allowed attackers to exploit Euler by artificially inflating exchange rates and withdrawing all tokens. Kankodu was rewarded $50,000 by the Euler team for discovering this bug.

Kankodu: A Crypto Whitehat and Ethical Hacker

Stay ahead in the crypto world with our newsletter!

Subscribe now for the latest updates, insights, and trends in the cryptocurrency market.

Kankodu is a crypto whitehat, an ethical hacker, who ranks 17th on the web3 bug bounty platform Immunefi. They have submitted 28 paid reports and earned a total of $689,000. Their expertise in identifying vulnerabilities has contributed significantly to enhancing the security of various crypto projects.

The Fix and Its Unintended Consequence

To address the vulnerability, Euler implemented a feature where new eTokens started with a total supply and reserve of 1 million wei. This change made initial attacks economically unfeasible. However, for existing eTokens with reserves below 1 million wei, Euler introduced a function called “donateToReserves.” This function, intended to increase reserves, unintentionally created a larger vulnerability that was exploited in the $200 million attack.

Euler’s $200 Million Hack and Recovery

The attack on Euler resulted in a loss of nearly $200 million across multiple assets. This included staked ether (stETH), USDC, wrapped bitcoin (WBTC), and DAI. Flash loans, commonly exploited by attackers due to the lack of required collateral, were utilized in the attack.

Following the attack, Euler’s EUL token experienced a significant decrease in value. However, the attacker later returned $177 million in a series of transactions, accounting for the expected “recoverable funds” from the hack.

Hot Take: Vigilance and Collaboration Are Vital in Crypto Security

The incident involving Euler Finance highlights the importance of thorough security measures in the crypto industry. It emphasizes the need for constant vigilance, bug bounty programs, and collaboration between ethical hackers and project teams. By working together, the crypto community can strive towards creating a safer and more secure ecosystem for all participants.

Author – Contributor at | Website

Theon Barrett shines as a distinguished crypto analyst, accomplished researcher, and skilled editor, making significant strides in the field of cryptocurrency. With an astute analytical approach, Theon brings clarity to intricate crypto landscapes, offering insights that resonate with a broad audience. His research prowess goes hand in hand with his editorial finesse, allowing him to distill complex information into accessible formats.

Read Disclaimer
This page is simply meant to provide information. It does not constitute a direct offer to purchase or sell, a solicitation of an offer to buy or sell, or a suggestion or endorsement of any goods, services, or businesses. does not offer accounting, tax, or legal advice. When using or relying on any of the products, services, or content described in this article, neither the firm nor the author is liable, directly or indirectly, for any harm or loss that may result. Read more at Important Disclaimers and at Risk Disclaimers.
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!

Email me the hottest Crypto news!

You may also like

Share via
Share via