How Harmful Was the Euler Hack to DeFi’s “Money Legos” Promise?
Decrypting DeFi is Decrypt’s DeFi email newsletter. (art: Grant Kempster)
DeFi faced its very own contagion event last week after Euler Finance was drained of nearly $200 million via six flash loans and a vulnerability.
It was a major blow to the sector; Euler had been seen as the next big building block after Compound and Aave.
In addition to throwing long-tail assets into the protocol and gambling risk à la Cream Finance, the popular crypto lender created isolated lending pools to help silo security damage if degenerate loans against the wrong memecoin.
Now, however, the whole ship has sunk.
It’s not just that: along with Euler, about 10 other DeFi protocols were affected thanks to the various integrations established along the way. Yield App, Swivel Finance, Angleand several others all announced their level of exposure to their communities.
Ironically, this ability to clip and connect various liquidity pools and lending platforms throughout the ecosystem was one of the key pillars of DeFi.
Composition ability, the developers called it. Money legos, cried the meme gurus.
“Composable protocols are the backbone of DeFi and blockchain technology in general, and they are a superpower for builders and users,” said OpenZeppelin’s solution developer Gustavo Gonzalez Decrypt. “However, like any superpower, they also present risks that must be taken into account when designing and developing a smart contract system.”
Tuesday’s events revealed exactly how these risks can snowball into pandemonium.
“The exploitation of Euler Finance and the inherent impact on more than ten DeFi protocols that relied on Euler Finance shows us the other side of composability,” said Hendo Verbeek, head of risk for the yield protocol of Spool. Decrypt. “Contagion by extension, which is even more sour given that a healthy portion of the DeFi user base has a limited understanding of how protocols use each other.”
In fact, many developers felt blindsided by the hack. After all, Euler had undergone six different audits from some of the leading software audit firms in the game.
So what happened?
At first it appeared that it was more changes made to the underlying smart contracts that were not audited, suggesting that these exact changes had led to the protocol’s vulnerability. In post mortem, however, Euler explained that “while the vulnerable code was reviewed and approved during an external audit, the vulnerability was not discovered as part of the audit.”
It’s clearly a messy process for the audit group in question, and the person behind Officer’s Notes, an anonymous Twitter account that tracks hacks and opsec in the crypto world, told Decrypt that the industry is still waiting for a standard security process.
While the industry waits for the aforementioned standard, projects should actively combine audits and go heavy on the bug bounties, “which will end up being cheaper for a company/protocol/project that needs to get its smart contracts checked,” they said.
Eulers has to be one of the biggest losses in DeFi in a while. Still, it’s not over yet for money’s Lego tale, OpenZeppelin’s Gonzalez said.
“It’s just a reminder of why security is difficult and surveillance is important,” he said.
DeFi is far from over – you just need to know where to look.
How did DeFi fare during the banking chaos?
While Circle rolled with $3.3 billion locked in a slowly sinking bank, the stablecoin fell as low as $0.87.
Many degeners bet on this pico bottom, borrowing USDT against ETH to acquire the discounted token, and have since emerged victorious again.
Others cut their losses and fled to more decentralized pastures.
The market cap for Maker’s DAI was one big winner in all of this. Although the support consists mainly of USDC, and it also fell off, the market capitalization of the largest decentralized stablecoin has increased and has remained there.
Likewise for Liquity’s LUSD and the lesser-known RAI. Each of these stablecoins served relatively secure decentralized options when SVB hit the fan.
And while scrambling for the exits, platforms offering the best deals on broken stablecoins were setting new record volumes (and earning their liquidity providers a pretty penny in the process).
In the heat of the depegging, Curve Finance posted volumes of $6.03 billion.
During the week of March 11, Uniswap almost doubled across the WETH-USDC, USDT-USDC and DAI-USDC pools.
In the end, it certainly wasn’t a win for DeFi. But it’s still here, and clearly traders still need it.
For now, maybe that’s enough.
Editor’s note: This article was updated on March 18, 2023 at 6:00 PM ET to show that the vulnerable code in question was audited but not detected. An earlier issue reported that the newly added code had not been revised.