Bad Actors Still Haunt DeFi: Euler and Poolz Finance Exploits Latest Examples

More than $3.8 billion worth of digital assets – if accounting for unreported cases- was lost to various groups of malicious actors taking advantage of loopholes in smart contracts platforms last year. The Chainalysis report highlighting this alarming statistic further pointed out that a bulk of this sum was associated with the decentralized finance (DeFi) niche, effectively labeling the space a hotbed of hitters. SlowMist, another blockchain security firm, highlighted in its annual report on crypto security incidents that 2022 saw the highest number of security incidents affecting blockchains. A total of 303 cases of security being compromised were reported, a figure 28% more than the preceding years. Meanwhile, the estimate of aggregated losses came at around $3.77 billion – a justifiable discrepancy from other reporting.

DeFi exploits are not slowing down

SlowMist’s report indicated that the exploits mostly involved phishing and rug pulls, whilst cross-chain bridges took heavy blows. Exploits on Ronin, Wormhole, Nomad, and Harmony bridges resulted in losses exceeding $1.2 billion. In addition to cross-chain systems, attackers also favored exploiting DeFi contract vulnerabilities. The industry appeared to be recovering from the rampant issue towards the end of the year.

Comparison of blockchain losses. Source: SlowMist

CertiK separately observed that December's $62.2 million in thefts was the least monthly figure in 2022, the very year where FTX Wallet and Ronin Bridge lost a combined $1.09 billion in crypto. $15.5 million, nearly a quarter of the crypto thefts sum, was stolen via exit scams, while flash loan exploits wrote losses of $7.6 million. The incidences in December were led by Helio Protocol's loss of $15 million as a chain effect of the price exploit of Ankr Reward Bearing Staked BNB (aBNBc). The smart contract audit firm also detailed that the attack on Defrost Finance's V1 and V2 products led to a loss of $12.9 million, which has since been returned. Bitkeep lost $8 million, an inside job left Ankr short of $7 million, and Lodestar lost $6.5 million after an exploit of the price of PlutusDAO's plvGLP token to complete the top five hacks seen last month.

Halfway into March, this year has already shown signs of surpassing last year's frequency of exploits and cumulative funds lost to hackers.

Non-custodial lending Euler Finance suffers the biggest hack of 2023

In a recent display of these troubling doings, an attacker(s) siphoned nearly $200 million worth of crypto assets from lending protocol Euler Finance on Mar 13 in a since confirmed case of a flash loan attack. CertiK Alerts, the hacks and scams tracker page associated with CertiK, was among the first to report the developments, albeit around $41 million had been abstracted at the time. The alert page later updated that the attacker had drained the protocol decentralized stablecoins and synthetic ERC-20 tokens worth around $198 million in multiple transactions, including 96,800 ETH and 43.6 million DAI, making it the largest DeFi exploit so far this year.

The actor(s) sent the stolen assets to two wallets – one holding 34,186,225 DAIs and 88,752 ETHs and the other around 88,77,507 DAI tokens, on-chain data shows.  The Ethereum-based protocol said it had looped in blockchain security teams, including TRM Labs, Chainalysis, and other law enforcement agencies, to help address the matter. PeckShield, which tipped off Euler of the drain, shared in another brief note that it had identified the cause. The attacker specifically exploited a bug when executing a ‘donateToReservers ()’ function to liquidate himself from the protocol, repay the loan and simultaneously make a killing.

Euler addresses the vulnerability, working to recover stone funds

The collaborative efforts eventually managed to stop the exploit by disabling the vulnerable module and consequently blocking deposits, but the damage had extended to more than a dozen other protocols. Balancer revealed that the incident affected Euler Finance’s Boosted USD (bbe-USD) pool – nearly two-thirds of its total value locked had siphoned when the resolution to pause it was executed. Angle Protocol also updated its followers on exposure to the exploit as its core module has allocated some funds in Euler, Compound and Aave.

“If the funds from the hack (17,614,940.03 USDC) were to be definitely lost, the TVL of the Core module would be down to approximately $18.4m. If the funds from the hack (17,614,940.03 USDC) were to be definitely lost, the TVL of the Core module would be down to approximately $18.4m. In this case, the amount of reserves in the Core module would become inferior to the value of the claims of agEUR holders, of Standard Liquidity Providers and of the remaining hedging agents in the protocol, as a whole.”

Yearn Finance also reportedly lost funds to the hack. Sherlock, an audit team with past links to Euler, verified the exploit’s cause. In its reports, the team faulted an audit conducted by another group WatchPug in July 2022 for failure to identify the vulnerability. For the next recovery steps, the lending protocol team presented an offer of sorts to the hacker(s), promising to put a bounty up if the perpetrators failed to respond. The said reward of $1 million has since been publicly announced.

“Euler Foundation is launching a $1M reward in the hope that this provides additional incentive for information that leads to the Euler protocol attacker’s arrest and the return of all funds extracted by the attacker,” Euler posted today.

Blockchain visualization and analysis platform Meta Sleuth opined in a tweet that the attack relates to a previous attack where the attacker transferred funds from the BNB Smart Chain (BSC) to Ethereum using a multichain bridge.

“It seems two attackers launched 6 attack transactions. Attacker 0x5f25 launched the first attack, making a profit of ~8.8M DAI. All profits stay in the exploit contract 0xebc2. The initial funding comes from FixedFloat and deflation token exploiter 6 on BSC. Attacker 0xb269 launched the other five attacks, and the total profit is ~186M USD. Now all profits stay in two addresses. 0xb269 holds 8,080 ETH, 0xb66cd holds 88,752 ETH and ~34M DAI. This attacker's initial funding is from Tornado Cash,” the account theorized.

The postulation got endorsed by another account ZachXBT. The wallets and addresses connected to the exploits are 0xebc291[…] cbf99 holding roughly 8,877,507 DAI, 0xb269[…] cedd4 whose snapshot showed a balance of 8,080.97 ETH, and 0xb66c […]995db that held approx. 88,753 ETH & 34,186,226 DAI.

Web3 projects crowdfunding platform Poolz Finance exploited

Barely two days after the Euler incident, another hacker stole $390,000 from cross-chain Web3-focused crowdfunding launchpad Poolz Finance on the Polygon and Binance Smart Chain. A Mar 15 review from PeckShield detailed that the suspicious activity in the token vesting smart contract indicated a ‘classic arithmetic overflow issue’ being the cause. Poolz shared an update on the incident, advising users to stop trading POOLZ token. In addition to flagging the address in question, the launchpad dev team also removed liquidity from Pancakeswap and Uniswap.

Poolz Finance CEO Guy Oren confirmed in a tweet ongoing efforts to launch a new tokens contract while projecting trading to go live before the end of the day. Notably, the two incidents come barely a month since Platypus, another DeFi protocol, got exploited to the tune of $8.5 million, resulting in a brief depeg of its USP stablecoin offering from USD. In the case of Platypus, the actors took advantage of a loophole in the USP solvency check to drain the protocol.  Last week, Hedera revealed it had experienced technical issues disguising a loss of liquidity pools tokens when a hacker exploited the mainnet smart contract code.

Hedera and Dogecoin: Latest example of vulnerabilities in blockchains

Hedera’s total value locked (TVL) slumped towards the end of last week after the network was hit with technical difficulties that some theorized involved a smart contract exploit. DeFi Llama data shows that the platform's TVL dropped steeply in less than 24 hours following reports of the chain suffering technical irregularities affecting several decentralized applications.

Hedera TVL chart. Source: DeFi Llama

The HBAR Foundation, a non-profit backing the Hedera project, said the network was registered with smart contract anomalies affecting decentralized applications.

Protocols on Hedera urge users to take caution

The Mar 10 technical irregularities were described by some as an attack on the enterprise-grade network, which left protocols on it scampering for safety. SaucerSwap Labs, a decentralized exchange (DEX) operating on Hedera, urged its users to withdraw their liquidity immediately due to the alleged exploit happening on the network. The protocol later confirmed that it was unaffected by the said hack. The exploit specifically targeted Hedera smart contracts’ decompiling process, which is responsible for transforming the contract's bytecode into a more comprehensible Solidity-like code. It is useful for studying and comprehending the workings of a smart contract.

Nevertheless, malicious actors can also manipulate this process to gain unauthorized access to the smart contract, though the specific elements the attacker purportedly targeted in this case are not fully understood. In addition, Hashport said it was temporarily suspending its bridging services due to the smart contract irregularities, taking this action to safeguard the safety of user funds. Multichain DEX Pangolin urged users to exit any HTS tokens in Pangolin Pools and Farms.  Hedera resolved to work with the parties across the ecosystem to determine the potential impact of the anomaly. To further ensure the safety of its users, Hedera disabled network proxies on the mainnet as the core team explored the smart contract irregularities, restoring after the issues were resolved. It confirmed that the move did not affect consensus and that the mainnet remains online.

To learn more about Hedera, check out our Investing in Hedera guide.

Reports highlight weaknesses in the DeFi scene

A recent report from blockchain security firm Halborn disclosed that as much as 280 chains, including Dogecoin, have been operating while bearing a critical vulnerability. In a Mar 13 report, the firm cautioned that it had identified the vulnerability in a previous assessment of the open-source codebase of the Dogecoin network in 2022. The meme coin project shared that it resolved the potential zero-day triggering issue in its Core 1.14.5 release after receiving a tip-off from Halborn, whose services it acquired last March, to review its codebase.

The firm identified another loophole in the RPC (Remote Procedure Call) remote code execution affecting individual miners on Dogecoin. The network's devs have since urged users to update to the 1.14.6. node. Halborn indicated that Litecoin and Zcash were notable networks affected by other variations of the patched bug, which fraudsters and exploiters could have leveraged to execute more grave threats.  The two projects, too, worked with the security firm to address the major vulnerabilities.

To learn more about these projects, visit our Investing in Dogecoin and Investing in Zcash  guides.