Euler Finance hacked despite 10 audits in 2 years, says CEO

Ten separate audits conducted over a two-year period of the Ethereum-based lending protocol Euler Finance deemed it to be “nothing higher than low risk” and having “no outstanding issues” prior to it suffering from a $196 million attack.

In a series of tweets on March 17 Euler Labs CEO, Michael Bentley described the “hardest days” of his life after Euler’s $196 million flash loan attack on March 13.

He retweeted one user sharing information that Euler had 10 audits from 6 different firms, and commented that the platform “has always been a security-minded project.”

Blockchain security firms including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica conducted smart contract audits on Euler Finance from May 2021 to September 2022.

Halborn ranked its risk assessment by measuring the “likelihood of a security incident” and the impact it may have, with the risk level ranging from very low and informational, to critical — Euler received “nothing higher than low risk.”

It was revealed in a Dec. 2022 summary of Halborn’s audit that it had found “an overall satisfactory result.”

The summary stated 23 smart contracts were “inspected and analyzed” by Halborn over a one-month period, of which only “two low risks and three informational” risks were identified.

Euler stated it had reviewed Halborn’s coverage and concluded the risks “pose no significant threats.”

Blockchain security firm Omnisica addressed some “incorrect paradigms” in Euler’s base swapper implementation, as well as how the swap mode was “handled by the codebase” — but stated in the report that these issues were “properly dealt” with by Euler, and “no outstanding issues” remained.

Related: Euler Finance blocks vulnerable module, working on recovering funds

On March 16 the protocol’s hacker began moving funds through crypto mixer Tornado Cash only hours after a $1 million bounty was launched by Euler for information leading to the hacker’s arrest.

In his recent Twitter thread Bentley said he’ll never “forgive the attacker” as he was forced to “sacrifice time” with his newborn son due to the attack but thanked security experts who are “working on leads” for the investigation.

Only 24 hours prior to the bounty, Euler issued a warning saying it would launch a one “that leads to your arrest and the return of all funds” if 90% wasn’t returned within 24 hours.