Euler Finance, an Ethereum-based lending protocol, underwent 10 audits from six different blockchain security firms between May 2021 and September 2022. The audits ranked the platform’s risk assessment, measuring the “likelihood of a security incident” and the impact it could have. have. The risk level for Euler ranged from very low and informative to critical, with none being considered “anything higher than low risk” with no “remaining issues.” Despite extensive audits, Euler suffered a $196 million quick loan attack on March 13, 2023.
Responding to the attack, Euler Labs CEO Michael Bentley described it as the “hardest days” of his life in a series of tweets on March 17. He retweeted a user sharing information that Euler had undergone ten audits, commenting that the platform “has always been a security-oriented project.” Euler had also issued a warning just 24 hours before releasing a $1 million bounty for information leading to the hacker’s arrest, stating that he would release a bounty “leading to his arrest and the return of all funds” if 90 % of funds were not returned in 24 hours.
Despite the audits, the Euler attacker began moving funds through the Tornado Cash cryptocurrency mixer on March 16, just hours after the bounty was released. In his Twitter thread, Bentley expressed frustration over the attack and the sacrifices he had to make as a result, including time with his newborn child. However, he also thanked security experts who are “working on leads” for the investigation.
While some blockchain security firms, such as Omnisica, found and addressed some “wrong paradigms” in Euler’s base exchanger implementation and how the exchange mode was “handled by the code base”, the audits concluded that Euler had “adequately dealt with” these issues, with “no outstanding issues” remaining. Halborn’s December 2022 audit summary also indicated that he had found “an overall satisfactory result.”
In conclusion, Euler Finance’s 10 audits of six different blockchain security firms in two years did not prevent a $196 million flash loan attack. Despite audits deeming the platform to be “nothing more than low risk” with no “remaining issues,” the attacker was able to move the funds through cryptocurrency mixer Tornado Cash just hours after Euler dropped a bounty of $1 million for his arrest. The investigation into the attack is ongoing.