Ten consecutive audits of the Ethereum-based lending protocol Euler Finance over a two-year period found it to be “nothing more than low risk” and with “no remaining concerns” before to a $196 million attack.
On March 17, Euler Laboratories CEO Michael Bentley detailed the “hardest days” of his life following Euler’s $196 million flash loan attack on March 13. He retweeted one user who shared that Euler has received 10 audits from six different organizations, and he added that the site “has always been a security-minded initiative.”
From May 2021 through September 2022, blockchain security organizations such as Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica audited Euler Financial smart contracts. Halborn graded its risk assessment by calculating the “probability of a security event” and its potential impact, with risk levels ranging from extremely low and informational to critical — Euler earned “nothing greater than low risk.”
A report of Halborn’s audit released in December 2022 indicated that it had found “an overall satisfactory outcome.” According to the report, Halborn “inspected and studied” 23 smart contracts during a one-month period, identifying just “two low risks and three informational” problems. According to Euler, it assessed Halborn’s coverage and decided that the risks “offer no substantial hazards.”
Omnisica, a blockchain security firm, corrected various “incorrect paradigms” in Euler’s basic swapper implementation, as well as how the swap mode was “managed by the software” — but claimed in the report that Euler “fully dealt” with these concerns, and “no unresolved issues” remained. Within hours after Euler issued a $1 million bounty for information leading to the hacker’s arrest, the protocol’s hacker began transferring assets through crypto mixer Tornado Cash on March 16.
Bentley claimed in a recent Twitter thread that he will never “forgive the attacker” because the hack forced him to “sacrifice time” with his newborn kid, but he praised security specialists who are “working on leads” for the inquiry. Barely 24 hours before the bounty, Euler issued a warning, threatening to launch one “that leads to your imprisonment and the return of all monies” if 90% of the cash were not returned within 24 hours.