Hackers steal nearly $200m from UK crypto lender Euler Labs, amidst rampant hacking and business failures in crypto sector
Hackers have stolen nearly $200 million (£165m) from UK crypto lending start-up Euler Labs, in the apparent exploitation of a vulnerability in the firm’s Euler Finance protocol.
The company is a decentralised finance (DeFi) firm that allows users to lend or borrow large sums of cryptocurrency with minimal collateral.
The hackers stole $137.1m in Staked Ether tokens, $18.9m in Wrapped Bitcoin $34.1m in USD Coin and $8.8m in the Dai token, for a total of about $199m, according to blockchain analysis firm Elliptic.
Elliptic said the funds from the Monday hack were already being laundered through Tornado Cash, a decentralised mixer that allows transactions to be obfuscated.
Tornado Cash was blacklisted by the US Treasury last August after the agency accused it of laundering more than $7bn in digital currencies.
Euler Finance said it immediately took action to try and contain the attack and engaged blockchain intelligence firms Chainalysis and TRM Labs as well as the Ethereum security community to try and recover the funds.
The start-up said it had communicated with UK and US law enforcement as well as contacting the attackers to “see if we might learn more about our options”.
The firm noted that the apparent vulnerability used by the attackers had not been spotted during audits by “external security firms.
“Euler Labs works with various security groups to perform audits of the Euler Finance protocol,” the company said.
“While the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit.
“The vulnerability remained on-chain for eight months until it was exploited today, despite a $1m bug bounty being in place during that time.”
Decentralised finance companies, which operate with minimal human oversight, have become a popular target for hackers, with attacks on them accounting for $3.1bn or 82.1 percent of all digital assets stolen by hackers last year, according to Chainalysis.