Ethereum-based crypto lending protocol Euler Finance has fallen victim to a flash loan attack resulting in a loss of $196 million in crypto assets. The hack is estimated to be the largest crypto theft in 2023 so far.

Euler Finance is a decentralized, permissionless lending protocol custom-built to help users lend and borrow digital assets.

According analytical research firm BlockSec, the attacker drained over $8.8 million in DAI, over $135.8 million in tokenized ether (stETH), more than $33.8 million in USDC and other altcoins.

A Euler Finance spokesperson has confirmed on Twitter that the company is aware of the incident and is working with security professionals and law enforcement to remedy the issue.

While Euler Finance has not released any additional details on how the attack occurred, Numen Cyber Lab’s team has published an analysis of the hack claiming that the threat actor took advantage of the lack of liquidity check in the function donateToReserves().

The attack scheme is explained as follows:

1. The hacker first borrowed 30 million DAI through a flash loan from Aave and then deployed two contracts: one for lending and one for liquidation.

2. The attacker then called the deposit function and pledged 20 million DAI to the Euler Protocol contract, receiving 19.5 million eDAI in return. 

3. The Euler Protocol allows users to borrow up to 10 times their deposit by calling the mint function. The attacker leveraged this capability to borrow 195.6 million eDAI and 200 million dDAI.

4. The attacker called the repay function using the remaining 10 million DAI borrowed through the flash loan to repay their debt and destroy 10 million dDAI. They then proceeded to call the mint function again to borrow 195.6 million eDAI and 200 million dDAI.

5. The attacker then called the donateToReserves function and donated 10 times the amount needed to repay their debt, sending 100 million eDAI. They then called the liquidate function to initiate the liquidation process and obtained 310 million dDAI and 250 million eDAI.

6. The attacker called the withdraw function and obtained 38.9 million DAI, which they used to repay the 30 million DAI borrowed through the flash loan. They profited 8.87 million DAI from the attack.

Earlier this year, the DeFi protocol Platypus was hit with a flash loan attack, draining over $8.5 million. However, with the help of some blockchain security experts, the company managed to track down the hackers and recover some funds. Two suspects believed to be responsible for the theft were arrested in France.