Analysts tracking $197 million theft from DeFi lender Euler Finance

Hackers reportedly stole $197 million in cryptocurrency from the decentralized finance (DeFi) platform Euler Finance in the latest flash loan attack to target the industry.

Euler Labs did not respond to requests for comment but confirmed the attack on Monday morning. It released a second statement in the afternoon saying law enforcement has been contacted about the incident.

“We continue to investigate this morning’s unlawful extraction of funds from the Euler protocol. The Euler Labs team has taken several immediate actions to attempt to recover the funds and identify exactly what happened, including contacting and sharing information with law enforcement, and working with independent third-party auditors and security firms,” the company said.

“Our number one priority is recovering funds for Euler protocol users and we are working as hard as we can to make that happen.”

Flash loan attacks — which involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins before the loan is paid back and the borrower keeps any profit — have been used to attack several platforms over the last two years.

Researchers with the blockchain security company CertiK found that the hackers used six flash loan attacks to steal the funds.

They found two vulnerabilities in the Euler platform that left it exposed to this kind of attack and allowed the hackers to leave the platform insolvent. According to Certik, the nearly $200 million hack is more than double the amount lost in all cryptocurrency-related incidents combined so far this year.

In October, more than $100 million in cryptocurrency was stolen from crypto trading platform Mango Markets in a flash loan attack. The FBI warned last year that it has observed attackers use flash loans attacks in a number of incidents affecting crypto platforms across the world.

Security researchers at BlocSec and PeckShield also confirmed to The Record that an analysis of blockchain transactions shows the monumental amount of stolen cryptocurrency.

The research companies said $135.8 million in Staked Ethereum (stETH), $33.8 million in the U.S. dollar-pegged stablecoin USDC, $18.5 million in Wrapped Bitcoin (WBTC) and $8.7 million in the decentralized stablecoin DAI were stolen. Certik pointed The Record to several addresses in which the hacker is suspected to be holding the funds.

On its website, Euler said it hired six different security companies to provide various audit and checking services, including Certora, Halborn, Solidified, ZK Labs, Sherlock, Omniscia and Pen Test Partners.