OPINION: Euler hack drama highlights structural DeFi problems

A vulnerability in the protocol was exploited to steal $196m, and the hack is making waves in the DeFi community. It is an indication that despite the eye-watering figures involved pilfering is very much business as usual in this ecosystem.

Euler is a permissionless lending protocol purpose built to allow users to “lend and borrow digital assets”. The hackers discovered a weakness in its open-source code and then employed a series of flash loans to trick the protocol. This type of vulnerability is well known and has been previously successfully used by hackers to attack other protocols. The Singapore based cybersecurity company Numen Cyber Technology found that this particular attack “was possible due to a lack of liquidity checks” in a specific function.

Complex code

According to Euler the vulnerability was present in the code for eight months before being exploited and remained undiscovered despite the code being “reviewed and approved during an outside audit”. The Euler website, in an attempt to reassure users and bolster its security credentials, includes a list of audits with the latest taking place in September 2022. A separate June 2022 report by Pen Test Partners found that the protocol was “well secured against attack, presenting low risk to both Euler’s infrastructure and customer data”.

A post-mortem report commissioned by Euler and created by Omnisicia, a security audits specialist, confirmed that the vulnerability to the code was introduced in July 2022 and it is the September audit that failed to spot the problems in the code that led to the hack. But the interesting wider point here is that code changes can introduce vulnerabilities into a system irrespective of how good and secure it was before they were deployed. The problem being, of course, that those very changes are needed to ensure that the protocol or system in question continues to evolve.

This increasing complexity is worrying and not only in connection with protocols, and it means that vulnerabilities can go undetected for long periods of time.

If nothing else, working through the audits also brings home just how complex, and therefore how difficult to effectively audit, the code underpinning the protocol must be. Euler tacitly acknowledges this complexity by stating the despite being subject to audits the protocol “may still contain implicit or hidden vulnerabilities” and posting a $1m “bug bounty” for individuals who responsibly disclose one that they find. This increasing complexity is worrying and not only in connection with protocols, and it means that vulnerabilities can go undetected for long periods of time, lulling the organisation into a sense of security, before being found and exploited by hackers.

Because DeFi users utilise different platforms, other popular DeFi protocols were affected by the hack with many, such as Yield, still struggling to assess the damage and plot a way forward. Although the context here is a little different, the interconnectedness of the ecosystem illustrates what regulators are worried about in connection with traditional finance. And that is the risk of contagion stemming from vulnerabilities in common technologies being utilised by seemingly independent entities and operators and positing a risk to the wider system as a result.

Stolen assets

One of the issues with theft when it involves the blockchain is how to dispose of the assets that have been stolen. The size of the hack in this instance means the involvement of law enforcement and instant notoriety. Which translates into scrutiny of the wallet or wallets in which the stolen funds end up. All this before the firm in question hires third parties to help attempt to recover the funds. Because a hack of this size affects many in the DeFi community, there will also be wider interest in thwarting the hackers’ attempts to dispose of the funds.

In this case the hackers appear to have recognised this challenge indicating that they wanted to “come to an agreement”. While many focused on the part of the message that signalled that the attackers were willing to return the funds and had “no intention of keeping what is not theirs”, presumably the motivation for this stance was not entirely altruistic. Any “agreement” would likely involve money being paid out in return for the crypto funds being returned.

Euler Finance found itself in the uncomfortable position of cautioning its own attacker against the possibility of being compromised by a possible state player.

Another problem with notoriety is that it tends to attract the attention of other nefarious players. In this instance the notorious Lazarus Group, allegedly a North Korean outfit, attempted to communicate with the Euler hacker. The method of communication was interesting in itself, being appended to a crypto transaction. A state player is always bad news and Euler Finance found itself in the uncomfortable position of cautioning its own attacker against the possibility of being compromised by an even more dangerous alleged state player with whom negotiation was out of the question and recovery of funds therefore far less likely.

Delving into the stories, messaging and systems being employed in DeFi and crypto, one cannot help but feel that this is an esoteric, almost otherworldly community with its own specialist language and modes of behaviour. Millions and hundreds of millions are spoken about as if they were chump change and the big win is always just around the corner. The desperate messages from users pleading for information about the hack and the return of their funds unfortunately prove that the loss of real money is more often than not the real world end result.