Euler Finance attack: How it happened, and what can be learned

cointelegraph.com:

The March 13 flash loan attack against Euler Finance resulted in over $195 million in losses. It caused a contagion to spread through multiple decentralized finance (DeFi) protocols, and at least 11 protocols other than Euler suffered losses due to the attack.

Over the next 23 days, and to the great relief of many Euler users, the attacker returned all of the exploited funds.

But while the crypto community can celebrate the return of the funds, the question remains whether similar attacks may cause massive losses in the future.

An analysis of how the attack happened and whether developers and users can do anything to help prevent these kinds of attacks in the future may be helpful.

Luckily, Euler’s developer docs clearly explain how the protocol works, and the blockchain itself has preserved a complete record of the attack. 

According to the protocol’s official docs, Euler is a lending platform similar to Compound or Aave. Users can deposit crypto and allow the protocol to lend it to others, or they can use a deposit as collateral to borrow crypto.

The value of a user’s collateral must always be more than what they borrow. Suppose a user’s collateral falls below a specific ratio of collateral value to debt value. In that case, the platform will allow them to be “liquidated,” meaning their collateral will be sold off to pay back their debts. The exact amount of collateral a user needs depends upon the asset being deposited vs. the asset being borrowed.

Whenever users deposit to Euler, they receive eTokens representing the deposited coins. For example, if a user deposits 1,000 USD Coin (USDC), they will receive the same amount of eUSDC in exchange.

Since they become worth more than the underlying coins as the deposit earns