Lending

DeFi protocol Venus seeks to patch $270K hole from oracle incident

The DeFi lending and borrowing protocol has confirmed it was affected by a malfunctioning Binance price oracle but confirmed user funds were safe.

Decentralized finance (DeFi) protocol Venus confirmed it was impacted by an issue with one of its price feed oracles, resulting in borrows totaling around $270,000 on Dec. 11.

However, it has downplayed the incident from being an exploit as described by analysts, and it also vowed to replace funds from the treasury.

On Dec. 10, reports emerged that a malfunctioning price oracle had affected the Binance Smart Chain-based decentralized lending and borrowing marketplace.

Read more

Sam Altman-linked Meanwhile Advisors creates BTC private credit fund

The closed fund will offer investors a 5% yield in Bitcoin and lend funds in BTC to institutions.

Bitcoin life insurance innovator Meanwhile Group has come out with a private credit fund denominated in Bitcoin (BTC). The closed fund will offer investors a “conservative” yield in Bitcoin and lend funds in BTC to institutional counterparties at the managers’ discretion.

Meanwhile Advisors is targeting a 5% yield on the Meanwhile BTC Private Credit Fund term. By vetting loan recipients, the fund “effectively mitigates” the risk associated with retail platforms that provide loans predominantly to individuals, the company said in a statement.

Related: Coinbase launches crypto lending platform for US institutions

Read more

Crypto lender Babel gets extended creditor protection in Singapore

Hong Kong-based Babel Finance will have more than a year to repay debts to its creditors after suspending withdrawals in June 2022.

Troubled cryptocurrency lending firm Babel Finance has more time to repay debts to creditors like Deribit after suspending withdrawals in 2022.

A court in Singapore has extended creditor protection for Babel Finance by another three months, Bloomberg reported on April 18.

According to Babel co-founder and former CEO Flex Yang, the moratorium will last until July 21, enabling the firm to pursue its restructuring plan via a new decentralized finance (DeFi) project called Hope. Flex returned to oversee Babel’s restructuring process a few years after stepping down from CEO role in 2021.

Flex Yang, former CEO of Babel Finance and founder of the Hope DeFi ecosystem. Source: TechCrunch

Babel’s restructuring plan involves new tokens called “Babel Recovery Coins,” which are aimed at allowing the troubled lender to generate revenue for repaying as much as $800 million to its creditors.

Flex also wrote in an open letter on Twitter that Babel’s bankruptcy protection was heard in the Singapore High Court on April 17, officially opening the in-court reorganization procedure. He noted that his main focus in the future would be the Hope project, stating:

“In the coming international political changes, HOPE will be an important tool for us to reconnect the world. […] We are confident that our new team will continue to use their hope and light to move the new project forward.”

As previously reported, the co-founder of Flex launched the Hope DeFi project in mid-March 2023, positioning the initiative as a combination of DeFi and centralized finance to enable DeFi-level transparency and security and centralized finance-level access.

Related: Celsius reportedly prepping litigation against creditor for leaking internal info

Another Babel co-founder, Yang Zhou, initially introduced the Hope project in early March, describing its native Babel Recovery Coin as a stablecoin minted as collateral based on Bitcoin (BTC) and Ether (ETH). The token is designed to maintain its 1:1 peg with the U.S. dollar through arbitrage incentives for traders.

Babel was one of many crypto lending companies that experienced major liquidity issues due to the bear crypto market in 2022. The Hong Kong-based firm suspended withdrawals and redemptions from its products in June, citing unusual liquidity pressures. Babel reportedly lost $280 million in proprietary trades with customer funds.

Magazine: Asia Express: Bitcoin glory on Chinese TikTok, 30M mainland users, Justin Sun saga

Hundred Finance loses $7 million in Optimism hack

The attacker reportedly manipulated the exchange rate between ERC-20 tokens and hTOKENS to steal over $7 million from the protocol.

Multichain lending protocol Hundred Finance has experienced a significant security breach on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses sit at $7.4 million.

Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with various security teams on the incident. Although the protocol didn’t reveal how the attack was executed, blockchain security firm CertiK said it was a flash loan attack:

Flash loan attacks involve a hacker borrowing a large amount of funds via a type of uncollateralized loan from a lending protocol. The hacker then uses these funds to manipulate the price of an asset on a decentralized finance (DeFi) platform. 

In Hundred’s case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:

“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”

Certik says that large loans were taken out under the manipulated exchange rate. Hundred Finance was preparing a postmortem report on the incident.

This attack comes almost nearly 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At that time, the hacker drained all of the protocol’s liquidity through a reentrancy attack, taking over $6 million. In the same exploit, the hacker also stole funds from the Agave protocol.

Since last year, a number of perpetrators have used flash loan attacks to target DeFi protocols. Recent cases include attacks against Euler Finance ($196 million) and Mango Markets ($46 million). Eulerwhile ’s hacker returned most of the funds, Mango’s thief has been arrested by United States authorities.

Magazine: Should crypto projects ever negotiate with hackers? Probably

US share of global crypto developers fell 26% in 5 years — a16z

In 2018, nearly 40% of all crypto developers were based in the United States, whereas in 2022, this figure had fallen to less than 30%.

The share of global crypto developers based in the United States declined by 26% from 2018 to 2022, according to a report from venture capital firm Andreessen Horowitz, also known as a16z. The report, titled “State of Crypto 2023,” cited data from Electric Capital and SimilarWeb to support its findings.

A summary of the report’s findings stated that “Between 2018 and 2022, the proportion of crypto developers based in the U.S. vs. the rest of the world fell 26%.”

Backing up this finding is a graph in the report showing U.S. share of global crypto developers was nearly 40% in 2018, but went below 30% in 2022, a percentage decline of more than one quarter.

In its summary, a16z cited lack of regulatory clarity as a possible reason for the decline, stating, “There has been much debate, but little regulatory clarity, which has hindered web3’s growth. As a result, America’s edge may be slipping.”

However, the venture capital firm expressed hope that the U.S. may regain some of its lost ground. Multiple bills tabled in Congress have sought to provide regulatory clarity for crypto assets, including the Responsible Financial Innovation Act, the Digital Commodities Consumer Protection Act, and the Digital Commodity Exchange Act, the report said.

In addition, a16z cited several impactful crypto cases that may soon be decided as reasons for optimism. These include the Securities and Exchange Commission’s enforcement action on Ripple, the Treasury Department’s Tornado Cash civil actions, and the bankruptcy proceedings of firms such as FTX, Voyager, and Celsius.

The venture firm’s sentiment about regulatory clarity echoes many in the U.S. crypto industry. In November, Coinbase CEO Brian Armstrong argued that the FTX collapse was partially caused by U.S. regulations driving crypto users offshore. In December, crypto lending platform Nexo announced it was leaving the U.S. because the government allegedly “refuses to provide a path forward for enabling blockchain businesses.”

Euler Finance attack: How it happened, and what can be learned

The Euler Finance exploit was the largest of Q1 2023, and the risk of a similar attack on other protocols remains.

The March 13 flash loan attack against Euler Finance resulted in over $195 million in losses. It caused a contagion to spread through multiple decentralized finance (DeFi) protocols, and at least 11 protocols other than Euler suffered losses due to the attack.

Over the next 23 days, and to the great relief of many Euler users, the attacker returned all of the exploited funds.

But while the crypto community can celebrate the return of the funds, the question remains whether similar attacks may cause massive losses in the future.

An analysis of how the attack happened and whether developers and users can do anything to help prevent these kinds of attacks in the future may be helpful.

Luckily, Euler’s developer docs clearly explain how the protocol works, and the blockchain itself has preserved a complete record of the attack. 

How Euler Finance works

According to the protocol’s official docs, Euler is a lending platform similar to Compound or Aave. Users can deposit crypto and allow the protocol to lend it to others, or they can use a deposit as collateral to borrow crypto.

The value of a user’s collateral must always be more than what they borrow. Suppose a user’s collateral falls below a specific ratio of collateral value to debt value. In that case, the platform will allow them to be “liquidated,” meaning their collateral will be sold off to pay back their debts. The exact amount of collateral a user needs depends upon the asset being deposited vs. the asset being borrowed.

eTokens are assets, while dTokens are debts

Whenever users deposit to Euler, they receive eTokens representing the deposited coins. For example, if a user deposits 1,000 USD Coin (USDC), they will receive the same amount of eUSDC in exchange.

Since they become worth more than the underlying coins as the deposit earns interest, eTokens don’t have a 1:1 correspondence with the underlying asset in terms of value.

Euler also allows users to gain leverage by minting eTokens. But if they do this, the protocol will send them debt tokens (dTokens) to balance out the assets created.

For example, the docs say that if a user deposits 1,000 USDC, they can mint 5,000 eUSDC. However, if they do this, the protocol will also send them 5,000 of a debt token called “dUSDC.”

The transfer function for a dToken is written differently than a standard ERC-20 token. If you own a debt token, you can’t transfer it to another person, but anyone can take a dToken from you if they want to.

Related: Liquidity protocol Sentiment exploited for over $500K

According to the Euler docs, a user can only mint as many eTokens as they would have been able to by depositing and borrowing over and over again, as it states, “The Mint function mimics what would happen if a user deposited $1,000 USDC, then borrowed $900 USDC, then redeposited that $900 USDC, to borrow $810 more USDC, and so on.”

Users liquidated if health scores drop to 1 or below

According to a blog post from Euler, each user has a “health score” based on the value of the eTokens held in their wallets vs. the value of the dTokens held. A user needs to have a greater dollar value of eTokens than dTokens, but how much more depends on the particular coins they are borrowing or depositing. Regardless, a user with enough eTokens will have a health score greater than 1.

If the user barely falls below the required number of eTokens, they will have a health score of precisely 1. This will subject them to “soft liquidation.” Liquidator bots can call a function to transfer some of the user’s eTokens and dTokens to themselves until the borrower’s health score returns to 1.25. Since a user who is barely below the collateral requirements will still have more collateral than debt, the liquidator should profit from this transaction.

If a user’s health score falls below 1, then an increasing discount is given out to the liquidator based on how bad the health score is. The worse the health score, the greater the discount to the liquidator. This is intended to make sure that someone will always liquidate an account before it accumulates too much bad debt.

Euler’s post claims that other protocols offer a “fixed discount” for liquidation and argues why it thinks variable discounts are superior.

How the Euler attack happened

Blockchain data reveals that the attacker engaged in a series of attacks that drained various tokens from the protocol. The first attack drained around $8.9 million worth of Dai (DAI) from the Dai deposit pool. It was then repeated over and over again for other deposit pools until the total amount was drained.

The attacker used three different Ethereum addresses to perform the attack. The first was a smart contract, which Etherscan has labeled “Euler Exploit Contract 1,” used to borrow from Aave. The second address was used to deposit and borrow from Euler, and the third was used to perform a liquidation.

To avoid having to repeatedly state the addresses that Etherscan has not labeled, the second account will be referred to as “Borrower” and the third account “Liquidator,” as shown below:

Ethereum addresses used by the hacker. Source: Etherscan

The first attack consisted of 20 transactions in the same block.

First, Euler Exploit Contract 1 borrowed 30 million DAI from Aave in a flash loan. It then sent this loan to the borrower account.

After receiving the 30 million DAI, borrower deposited 20 million of it to Euler. Euler then responded by minting approximately 19.6 million eDAI and sending it to borrower.

These eDAI coins were a receipt for the deposit, so a corresponding amount of dDai was not minted in the process. And since each eDAI can be redeemed for slightly more than one DAI, the borrower only received 19.6 million instead of the full 20 million.

After performing this initial deposit, borrower minted approximately 195.7 million eDAI. In response, Euler minted 200 million dDAI and sent it to borrower.

At this point, borrower was near their eDAI mint limit, as they had now borrowed about 10 times the amount of DAI they had deposited. So their next step was to pay off some of the debts. They deposited the other 10 million DAI they had held onto, effectively paying back $10 million of the loan. In response, Euler took 10 million dDAI out of borrower’s wallet and burned it, reducing borrower’s debt by $10 million.

Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack

The attacker was then free to mint more eDAI. Borrower minted another 195.7 million eDAI, bringing their eDAI total minted to around 391.4 million. The 19.6 million eDAI in deposit receipts brought borrower’s eDAI total to about 411 million.

In response, Euler minted another 200 million dDai and sent it to borrower, bringing borrower’s total debt to $400 million.

Once borrower had maximized their eDAI minting capacity, they sent 100 million eDai to the null address, effectively destroying it.

This pushed their health score well below 1, as they now had $400 million in debt vs. approximately $320 million in assets.

This is where the liquidator account comes in. It called the liquidate function, entering borrower’s address as the account to be liquidated.

Liquidation event emitted during the Euler attack. Source: Ethereum blockchain data

In response, Euler initiated the liquidation process. It first took around 254 million dDAI from borrower and destroyed it, then minted 254 million new dDai and transferred it to liquidator. These two steps transferred $254 million worth of debt from borrower to liquidator.

Next, Euler minted an additional 5.08 million dDAI and sent it to liquidator. This brought liquidator’s debt to $260 million. Finally, Euler transferred approximately 310.9 million eDAI from borrower to liquidator, completing the liquidation process.

In the end, borrower was left with no eDAI, no DAI, and 146 million dDAI. This meant that the account had no assets and $146 million worth of debt.

On the other hand, liquidator had approximately 310.9 million eDAI and only 260 million dDAI.

Once the liquidation had been completed, liquidator redeemed 38 million eDAI ($38.9 million), receiving 38.9 million DAI in return. They then returned 30 million DAI plus interest to Euler Exploiter Contract 1, which the contract used to pay back the loan from Aave.

In the end, liquidator was left with approx. $8.9 million in profit that had been exploited from other users of the protocol.

This attack was repeated for multiple other tokens, including Wrapped Bitcoin (WBTC), Staked Ether (stETH) and USDC, amounting to $197 million in exploited cryptocurrencies.

Losses from Euler attack. Source: Blocksec

What went wrong in the Euler attack

Blockchain security firms Omniscia and SlowMist have analyzed the attack to try and determine what could have prevented it.

According to a March 13 report from Omniscia, the primary problem with Euler was its “donateToReserves” function. This function allowed the attacker to donate their eDAI to Euler reserves, removing assets from their wallet without removing a corresponding amount of debt. Omnisica says that this function was not in the original version of Euler but was introduced in Euler Improvement Proposal 14 (eIP-14).

The code for eIP-14 reveals that it created a function called donateToReserves, which allows the user to transfer tokens from their own balance to a protocol variable called “assetStorage.reserveBalance.” Whenever this function is called, the contract emits a “RequestDonate” event that provides information about the transaction.

Blockchain data shows that this RequestDonate event was emitted for a value of 100 million tokens. This is the exact amount that Etherscan shows were burned, pushing the account into insolvency.

Euler’s RequestDonate event being emitted during the attack. Source: Ethereum blockchain data

In their March 15 analysis, SlowMist agreed with Omniscia about the importance of the donateToReserve function, stating:

“Failure to check whether the user was in a state of liquidation after donating funds to the reserve address resulted in the direct triggering of the soft liquidation mechanism.”

The attacker might have also been able to carry out the attack even if the donate function had not existed. The Euler “EToken.sol” contract code on GitHub contains a standard ERC-20 “transfer” function. This seems to imply that the attacker could have transferred their eTokens to another random user or to the null address instead of donating, pushing themselves into insolvency anyway.

Euler eToken contract transfer function. Source: GitHub

However, the attacker did choose to donate the funds rather than transfer them, suggesting the transfer would not have worked.

Cointelegraph has reached out to Omniscia, SlowMist and the Euler team for clarification on whether the donateToReserves function was essential to the attack. However, it has not received a response by publication time.

Related: Euler team denies on-chain sleuth was a suspect in hack case

The two firms agreed that another major vulnerability in Euler was the steep discounts offered to liquidators. According to SlowMist, when a lending protocol has a “liquidation mechanism that dynamically updates discounts,” it “creates lucrative arbitrage opportunities for attackers to siphon off a large amount of collateral without the need for collateral or debt repayment.” Omniscia made similar observations, stating:

“When the violator liquidates themselves, a percentage-based discount is applied […] guaranteeing that they will be ‘above-water’ and incur only the debt that matches the collateral they will acquire.”

How to prevent a future Euler attack

In its analysis, SlowMist advised developers on how to prevent another Euler-style attack in the future. It argued that lending protocols should not allow users to burn assets if this will cause them to create bad debt, and it claimed that developers should be careful when using multiple modules that may interact with each other in unexpected ways:

“The SlowMist Security Team recommends that lending protocols incorporate necessary health checks in functions that involve user funds, while also considering the security risks that can arise from combining different modules. This will allow for the design of secure economic and viable models that effectively mitigate such attacks in the future.”

A representative from DeFi developer Spool told Cointelegraph that technological risk is an intrinsic feature of the DeFi ecosystem. Although it can’t be eliminated, it can be mitigated through models that properly rate the risks of protocols.

According to Spool’s risk management white paper, it uses a “risk matrix” to determine the riskiness of protocols. This matrix considers factors such as the protocol’s annual percentage yield (APY), audits performed on its contracts, time since its deployment, total value locked (TVL) and others to create a risk rating. Users of Spool can employ this matrix to diversify DeFi investments and limit risks.

The representative told Cointelegraph that Spool’s matrix significantly reduced investor losses from the Euler incident.

“In this incident, the worst affected Smart Vaults, those designed by users to seek higher (and riskier) yields, were only affected for up to 35%. The lowest affected vault with exposure to Euler strategies (via Harvest or Idle), in comparison, was only affected by 6%. Some vaults had zero exposure and were thus not impacted,” they stated.

Spool continued, “While this is not ideal, it clearly demonstrates the ability of the Smart Vaults to provide tailored risk models and to distribute users’ funds among multiple yield sources.”

Cointelegraph got a similar answer from SwissBorg, another DeFi protocol that aims to help users limit risk through diversification. SwissBorg CEO Cyrus Fazel stated that the SwissBorg app has “different yield strategies based on risk/timeAPY.”

Some strategies are listed as “1: core = low,” while others are listed as “2: adventurous = risky.” Because Euler was given a “2” rating, losses from the protocol were limited to only a small portion of SwissBorg’s total value locked, Fazel stated.

SwissBorg head of engineering Nicolas Rémond clarified further that the team employs sophisticated criteria to determine what protocols can be listed in the SwissBorg app.

“We have a due-diligence process for all DeFi platforms before entering any position. And then, once we’re there, we have operation procedures,“ he said, adding, ”The due diligence is all about TVL, team, audits, open-source code, TVL, oracle manipulation attack, etc. […] The operation procedure is about platform monitoring, social media monitoring and some emergency measures. Some are still manual, but we’re investing to automatize everything based so that we can be extremely reactive.”

In a March 13 Twitter thread, the SwissBorg team stated that although the protocol had lost 2.2% of the funds from one pool and 29.52% from another, all users would be compensated by SwissBorg should the funds not be recoverable from Euler.

The Euler attack was the worst DeFi exploit of Q1 2023. Thankfully, the attacker returned most of the funds, and most users should end up with no losses when all is said and done. But the attack raises questions about how developers and users can limit risk as the DeFi ecosystem continues to expand.

Some combination of developer diligence and investor diversification may be the solution to the problem. But regardless, the Euler hack may continue to be discussed well into the future, if for no other reason than its sheer size and illustration of the risks of DeFi exploits.

Why did 12K Bitcoin margin longs close at Bitfinex, and why didn’t it impact BTC price?

An unprecedented number of BTC margin longs recently closed at Bitfinex, leaving analysts searching for explanations.

Since May 2022, the Bitcoin (BTC) margin markets on the Bitfinex exchange have been plagued by an unusually high open interest of over $2.7 billion. This information alone should raise a red flag, especially considering Bitcoin’s price decline from $39,000 to less than $25,000 during the same period.

Traders seeking to leverage their cryptocurrency position had borrowed over 105,000 Bitcoin. Currently, the cause of this anomaly and the number of entities involved in the trade are unknown.

Cheap borrowing favors high demand

Bitfinex’s sub-0.1% annual rate may contribute to the size of the Bitcoin lending market. To date, this has been the norm, creating enormous incentives for borrowing, even if there is no current need. Few traders would turn down such a ridiculously inexpensive leverage opportunity.

Margin borrowing can be used to take advantage of arbitrage opportunities, where a trader exploits price discrepancies between different markets. For example, borrowing Bitcoin on margin allows a trader to take a long position in one market and a short one in another, profiting from the price difference.

To understand how Bitcoin borrowing can be used to profit on derivatives markets, including those outside of Bitfinex, one must understand the distinction between futures contracts and margin markets. The margin is not a derivative contract, so the trade occurs on the same order book as spot trading. In addition, unlike futures, margin longs and shorts are not always in balance.

For example, after purchasing 10 Bitcoin using margin, the coins can be withdrawn from the exchange. Naturally, the trade, typically based on stablecoins, requires some form of collateral or a margin deposit.

If the borrower fails to return the position, the exchange will liquidate the margin to repay the lender.

Additionally, the borrower must pay interest on the BTC acquired with a margin. The operational procedures vary between centralized and decentralized exchanges, but the lender typically determines the interest rate and duration of offers.

There was a 12,000 BTC margin decline in a single trade

Historically, Bitfinex margin traders have been known to move large margin positions quickly, indicating the participation of whales and large arbitrage desks. In the most recent instance, on March 25, those investors reduced their long positions by 12,000 BTC in minutes.

Bitfinex BTC margin longs, in BTC contracts. Source: TradingView

Notice the significant decrease, although it did not affect the Bitcoin price. This supports the theory that such margin trades are market-neutral because the borrower is not leveraging their positions with the proceeds. Most likely, there is some arbitrage involving derivatives instruments.

Traders should cross-reference the data with other exchanges to confirm that the anomaly affects the entire market, given that each exchange has distinct risks, norms, liquidity and availability.

OKX, for example, provides an indicator for margin lending based on the stablecoin/BTC ratio. Traders can increase their exposure on OKX by borrowing stablecoins to purchase Bitcoin. Bitcoin borrowers, on the other hand, can only wager on the price decline.

OKX stablecoin/BTC margin lending ratio. Source: OKX

The above chart shows that OKX traders’ margin lending ratio has been stable for the past week near 30, indicating that professional traders’ long-to-short bets have not changed. This data supports the theory that Bitfinex’s decline is due to an arbitrage close unrelated to Bitcoin price movement.

Related: US government plans to sell 41K Bitcoin connected to Silk Road

Recent crypto bank closures could have triggered the movement

Another possibility for the sudden decrease in margin demand is the $4 billion deposits associated with the now-defunct Signature Bank. Crypto clients were told to close their accounts by April, according to a Bloomberg report.

While New York Community Bancorp (NYCB) purchased the majority of Signature Bank’s deposits and loans on March 19, the deal with the Federal Deposit Insurance Corporation did not include crypto-related accounts.

If those whales are forced to close their banking accounts, they will most likely reduce their arbitrage positions, including those in margin markets. For the time being, all assumptions are speculative, but one thing is sure: the 12,000 BTC long margin reduction at Bitfinex did not affect Bitcoin prices.

The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

Euler Finance exploiter returns another $37.1M worth of ETH and DAI

The exploiter originally drained $195 million worth of ETH and tokens from the protocol but has now returned around $138 million.

The architect of the March 13 Euler Finance exploit returned an additional $26.5 million worth of Ether (ETH) to the Euler Finance deployer account on March 27, on-chain data shows.

At 6:21 pm UTC, an address associated with the attacker sent 7,738.05 ETH (worth approximately $13.2 million at the time it was confirmed) to the Euler deployer account. In the same block, another address associated with the attacker sent an identical amount to the same deployer account, for a total of 15,476.1 ETH (around $26.4 million) returned to the Euler team.

Then, at 6:40 pm UTC, the first wallet sent another transaction to the deployer account for $10.7 million worth of the Dai (DAI) stablecoin. This brings the total of all three transactions to approximately $37.1 million.

Both of these addresses have received funds from the account that Etherscan labels “Euler Finance Exploiter 2,” which seems to imply that they are under the control of the attacker.

These transactions follow a previous return of 58,000 ETH (worth over $101 million at the time) on March 25. In total, the attacker appears to have returned over $138 million worth of crypto assets since the exploit.

Ethereum-based crypto lending protocol Euler Finance was exploited on March 13, and over $195 million worth of ETH and tokens were drained from its smart contracts. Several protocols within the Ethereum ecosystem depended on Euler in one way or another, and at least 11 protocols have announced that they suffered indirect losses from the attack.

According to an analysis by Slowmist, the exploit occurred because of a faulty function that allowed the attacker to donate their lent Dai to a reserve fund. By making this donation, the attacker was able to push their own account into insolvency. A separate account was then used to liquidate the first account at a steep discount, allowing the attacker to profit from this discount.

After draining Dai through this first attack, the attacker then repeated it for multiple tokens, removing over $196 million from the protocol.

Funds stolen from Euler Finance. Source: BlockSec

Euler Finance blocks vulnerable module, working on recovering funds

Euler is working with law enforcement agencies and blockchain security firms to contact the exploiter and recover the funds.

Decentralized finance (DeFi) lending protocol Euler Finance became a victim of a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack and impacted more than 11 other DeFi protocols as well.

On March 14, Euler came out with an update on the situation and notified its users that they had disabled the vulnerable etoken module to block deposits and the vulnerable donation function.

The firm said that they work with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. The vulnerability was not discovered as part of the audit.

The vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.

Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.

In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.

Related: More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm

Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023.

Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis and the broader ETH security community, in a bid to help them with the investigation and recover the funds.

Euler notified that they are also trying to contact those responsible for the attack in order to learn more about the issue and possibly negotiate a bounty to recover the stolen funds.

Thailand SEC wants public feedback on crypto lending, staking ban

Thailand’s securities regulator believes that crypto firms should not be allowed to deploy users’ deposits and provide lending services.

Thailand’s Securities and Exchange Commission (SEC) is preparing to hold a new public hearing on a potential ban on staking and lending services in the country.

Thailand’s SEC officially announced on March 8 that the authority is seeking public comments on a draft regulation prohibiting virtual asset service providers (VASPs) from providing or getting involved in any type of crypto staking and lending transactions.

According to the SEC’s policy, VASPs should not be allowed to deploy users’ deposits and provide lending services to prevent possible damage to investors in the case of services’ termination. Additionally, the draft regulation is expected further to clarify the scope of supervision of digital asset businesses because they are currently not fully supervised, the SEC stated, adding:

“The proposed regulation aims to provide greater protection to investors, reduce associated risks, and prevent a misunderstanding that deposit taking and lending services are under the same supervision as regulated digital asset businesses.”

In the announcement, the securities regulator mentioned that the SEC conducted a public hearing on the principle of the proposed regulation in September and October 2022. The draft regulation would essentially prohibit VASPs from accepting user deposits for lending, staking and any further deployment of such assets, offering interest payouts on crypto holdings and advertising such services.

The authority has invited stakeholders and interested parties to submit their feedback and suggestions via the SEC’s website or email by April 7, 2023.

Related: SEC snubbed as Voyager wins court approval for sale to Binance.US

The news comes amid the SEC of Thailand beefing up the country’s cryptocurrency rules in response to the ongoing crisis in the crypto lending industry.

Many major industry lenders — including Voyager Digital, Celsius Network, Genesis Global, Babel Finance and Hodlnaut — have encountered serious liquidity issues amid the ongoing crypto bear market, pushing some firms to restructure or liquidate their business. Gemini, a major crypto exchange founded by Tyler and Cameron Winklevoss, is facing a lawsuit from the United States’ SEC for alleged violations in its “Earn” program, designed to offer investors up to 8.05% in annual gains.