What Happened

Euler Finance (Backtest)

$197M|Smart Contract Exploit|March 13, 2023

Attacker exploited a vulnerability in the donateToReserves function combined with flash-loan-funded leveraged borrowing to manipulate eToken/dToken exchange rates. The donateToReserves function burned eTokens (collateral) without checking the caller's liquidity status, allowing the attacker to create deeply undercollateralized positions and then self-liquidate at the maximum 20% penalty, draining $197M across DAI, WBTC, stETH, and USDC markets.

What Hindenrank Would Have Said

As of February 1, 2023

Risk Score

50/100

“Elevated risk — high mechanism novelty and complex flash loan interaction surface create material attack vectors, partially offset by multiple audits and a clean 14-month track record.”

Mechanism Novelty12/15

Interaction Severity16/20

Oracle Surface5/10

Documentation Quality3/10

Track Record3/15

Scale Exposure5/10

Regulatory Risk2/10

Protocol Vitality4/10

Scenario Predicted the Failure Mode

The C grade (50/100) did not cross the D+ threshold for a high-risk flag. However, our collapse scenario analysis predicted the exact failure mode that occurred.

Flagged by dimensions: Mechanism Novelty, Interaction Severity, Oracle Surface

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

1.Flash loans combined with deferred liquidity checks and leveraged borrowing create a wide attack surface for multi-step manipulation. Euler's sub-account system allows deferring health checks across a batch transaction, meaning an attacker could build up complex undercollateralized positions within a single transaction before liquidity is verified.
2.Permissionless asset listing enables anyone to create lending markets for any ERC-20 token with a Uniswap V3 WETH pair, relying on Uniswap V3 TWAP oracles that may be manipulable for low-liquidity tokens. The tiered asset classification (isolation/cross/collateral) mitigates but does not eliminate this risk, as even isolation-tier assets can be borrowed against.
3.Tokenized debt (dTokens) combined with the soft liquidation mechanism creates potential for self-liquidation attacks. The transferability of debt tokens and the graduated penalty structure (0% to 20% based on health factor) could be exploited to extract value from the reserve system.
4.The protocol's codebase is significantly more complex than established lending protocols like Aave or Compound — sub-accounts, deferred liquidity checks, permissionless markets, reactive interest rates, and soft liquidations all increase the surface area for smart contract vulnerabilities, despite having undergone multiple audits.

Collapse Scenarios

Flash Loan Leveraged Position Manipulation via Deferred Liquidity Checks

Elevated

Trigger

Attacker identifies a function in Euler's smart contracts that modifies eToken or dToken balances without a subsequent liquidity check, allowing manipulation of collateral-to-debt ratios within a deferred-check batch transaction

Cascade

Attacker takes a large flash loan (e.g., 30M DAI) from Euler or another lending protocol→Attacker has temporary capital to seed leveraged positions across Euler sub-accounts

Attacker uses Euler's mint function to create eTokens and leveraged deposits, building up a large eToken position backed by the flash-loaned capital→Attacker holds significant eToken collateral and corresponding dToken debt across sub-accounts

Attacker identifies and calls a reserve-manipulation function (e.g., donateToReserves) that burns eTokens without checking if the resulting position is undercollateralized→Attacker's collateral (eTokens) is destroyed but debt (dTokens) persists, creating a deeply undercollateralized position

The undercollateralized position triggers Euler's soft liquidation mechanism, where the attacker self-liquidates at the maximum 20% penalty discount→Attacker extracts value from the protocol's reserves by liquidating at a favorable discount on an artificially created bad debt position

Attacker repeats across multiple token markets (DAI, WBTC, stETH, USDC), draining reserves from each→Protocol-wide loss of $100M-$300M in deposited funds as reserves are drained across multiple markets

Depositors discover losses and rush to withdraw remaining funds→Bank run on remaining Euler markets, EUL token collapses, protocol effectively ceases operations

Historical Precedent

Cream Finance v2 suffered a $130M flash loan exploit in October 2021 via price manipulation of a self-listed token (similar to Euler's permissionless listing). Beanstalk lost $182M in April 2022 via a flash-loan-funded governance attack. Both exploited the interaction between flash loans and protocol-specific mechanisms.

Oracle Manipulation on Permissionless Low-Liquidity Markets

Moderate

Trigger

A newly listed isolation-tier token on Euler has less than $1M in Uniswap V3 liquidity, making the TWAP oracle manipulable for under $500K in capital over a multi-block window

Cascade

Attacker identifies an isolation-tier token on Euler with thin Uniswap V3 liquidity (under $500K) and borrows a large position against it→Attacker establishes a borrowing position using the low-liquidity token as collateral at current TWAP-based valuation

Attacker executes trades on the thin Uniswap V3 pool over several blocks to inflate the TWAP price of the collateral token→Euler's oracle reports an inflated price for the collateral, increasing the attacker's borrowing capacity

Attacker borrows collateral-tier assets (ETH, USDC, DAI) against the inflated isolation-tier collateral up to the maximum loan-to-value→Attacker extracts high-quality assets from the protocol backed by artificially inflated low-quality collateral

TWAP naturally reverts to true price, leaving the attacker's position deeply undercollateralized→The protocol absorbs the bad debt as the collateral is worth far less than the borrowed assets. Loss limited to the specific market pair but could be repeated across multiple isolation-tier tokens.

Historical Precedent

Mango Markets lost $116M in October 2022 when an attacker manipulated the price of the MNGO token on thin markets to inflate their collateral value and drain the protocol's deposits. The attack exploited the same class of vulnerability: oracle manipulation on a permissionless market with thin liquidity.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View Leaderboard All Backtests