Euler Finance hacked despite 10 audits in 2 years, says CEO

Ten separate audits carried out over a two-year interval of the Ethereum-based lending protocol Euler Finance deemed it to be “nothing increased than low threat” and having “no excellent points” previous to it affected by a $196 million assault.

In a sequence of tweets on March 17 Euler Labs CEO, Michael Bentley described the “hardest days” of his life after Euler’s $196 million flash mortgage assault on March 13.

He retweeted one consumer sharing info that Euler had 10 audits from 6 completely different corporations, and commented that the platform “has at all times been a security-minded venture.”

Blockchain safety corporations together with Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica carried out good contract audits on Euler Finance from Might 2021 to September 2022.

Halborn ranked its threat evaluation by measuring the “probability of a safety incident” and the impression it might have, with the danger stage starting from very low and informational, to vital — Euler acquired “nothing increased than low threat.”

It was revealed in a Dec. 2022 abstract of Halborn’s audit that it had discovered “an total passable consequence.”

The abstract said 23 good contracts had been “inspected and analyzed” by Halborn over a one-month interval, of which solely “two low dangers and three informational” dangers had been recognized.

Euler said it had reviewed Halborn’s protection and concluded the dangers “pose no important threats.”

Blockchain safety agency Omnisica addressed some “incorrect paradigms” in Euler’s base swapper implementation, in addition to how the swap mode was “dealt with by the codebase” — however said within the report that these points had been “correctly dealt” with by Euler, and “no excellent points” remained.

Associated: Euler Finance blocks susceptible module, engaged on recovering funds

On March 16 the protocol’s hacker started shifting funds by crypto mixer Twister Money solely hours after a $1 million bounty was launched by Euler for info resulting in the hacker’s arrest.

In his current Twitter thread Bentley stated he’ll by no means “forgive the attacker” as he was pressured to “sacrifice time” along with his new child son because of the assault however thanked safety specialists who’re “engaged on leads” for the investigation.

Solely 24 hours previous to the bounty, Euler issued a warning saying it might launch a one “that results in your arrest and the return of all funds” if 90% wasn’t returned inside 24 hours.