This month, DeFi witnessed its biggest hack in 2023, as Euler Finance became the victim of a major exploit which resulted in a total loss of approximately $197 million across multiple currencies. Currently, it appears almost 100% of user deposits are now under the attacker’s control and, at the time of writing, the hacker is not communicating with the Euler team and none of the funds seems likely to be returned.
Projects relying more heavily on Euler were severely affected:
- Some Yearn Vaults were indirectly exposed to Euler, amounting to $1.38 million in exposure via Idle and Angle, and are using their treasury to cover bad debt.
- Idle Finance had 100% exposure via their USDC / USDT tranches, and are now reliant on a resolution by Euler and their auditors to recover those funds.
- Harvest Finance was also heavily impacted as their USDC, USDT, and WETH vaults were routed through Idle Finance. As such, they are also dependent on resolution via Euler.
- Sherlock DeFi has taken a great step in paying out a claim, but it amounts to barely 2.2% of the stolen amount, leaving many investors uncertain about where things will go from here.
Following an incident post-mortem by Omniscia, an auditor used by Euler, it appears a single function enabled the attack. This “donateToReserves” function was added as part of eIP-14 in July 2022 and sat within the system for 8 months despite active bug bounties through both Euler and their auditor.
As a result of flawed logic within this update, the attacker was able to artificially create an unbacked debt token within Euler that would never be liquidated.
This code was audited by Sherlock DeFi prior to launch, who also provided a coverage policy in case of this incident. Sherlock has passed a vote on a $4.5 million payout, $3.3 of which has been paid so far, the first time an audit team has paid this amount for a missed vulnerability.
Once they stopped the direct attack, Euler engaged various crypto-native teams for investigation, as well as UK and US law enforcement, and are continuing to investigate.
While Euler did appear to follow the correct process, offering both bug bounties and having the new code fully audited with cover in place, as we discussed in our risk whitepaper “DeFi Risks – A Primer”, nothing can ever be 100% certain.
Spool severely reduces such impacts with an effective risk management strategy
Spool was developed specifically to reduce the impact of this kind of “black swan” event on any investor managing their funds within DeFi. While they should be rare, we do see them occur and can be catastrophic for investors who invest 100% via a single protocol.
In this incident, we can see that Spool performed as expected and severely reduced the impact on investors. Spool allows for easy distribution of funds between multiple yield sources, an essential part of an effective risk management strategy. By giving users an easy tool to access multiple yield strategies, Smart Vaults removed the onus on the users to fully study and manually invest in multiple protocols.
As a result, Spool has never exposed itself 100% to a single yield strategy. In this incident, the worst affected Smart Vaults, those designed by users to seek higher (and riskier) yields, were only affected for up to 35%. The lowest affected vault with exposure to Euler strategies (via Harvest or Idle), in comparison, was only affected by 6%. Some vaults had zero exposure and were thus not impacted.
We can see that Spool Smart Vaults performed exactly as expected during the incident. Despite the severity of the attack, and the wide range of protocols affected, the Smart Vault system massively reduced the impact on investors using the platform.
While this is not ideal, it clearly demonstrates the ability of the Smart Vaults to provide tailored risk models and to distribute users’ funds among multiple yield sources.