Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Back to all case studies
Smart Contract Exploit
2023-03-13$197M (80% recovered)

Euler Finance Exploit

March 2023 — donateToReserves bug + flash loans drain $197M; attacker subsequently returns ~80% via on-chain negotiation.

Euler Finance was a non-custodial DeFi lending protocol on Ethereum. On March 13, 2023, an attacker exploited a previously-unidentified bug in the protocol's `donateToReserves` function to drain approximately $197M across multiple assets. The attack required only a single transaction (plus the flash-loan funding) and bypassed Euler's standard collateral checks through a sequence of borrowing, donating, and self-liquidation.

The Euler case is notable for two reasons. First, the bug was structurally subtle — it involved interactions between Euler's borrow logic, its donation function, and its liquidation logic that no auditor or developer had identified in extensive prior reviews. Second, the post-exploit recovery process was unusual: through a combination of on-chain message exchange between the Euler team and the attacker, white-hat-style negotiations, and (publicly stated) law-enforcement engagement, the attacker returned approximately 80% of the stolen funds over several weeks following the attack.

The case became a foundational reference for both the specific bug class (lending-protocol design that allows manipulating a position's health through donation) and the broader question of post-exploit recovery negotiation strategies.

Timeline

  1. 2022-Q4
    Euler Finance launches as a non-custodial lending protocol with novel features including reactive interest rates.
  2. 2023-Q1
    Euler accumulates ~$300M TVL; multiple audits completed with no findings of the eventual exploit vector.
  3. 2023-03-13 (~09:00 UTC)
    Attacker initiates exploit via flash loan from Aave; sequence of borrow + donateToReserves + liquidate calls drains ~$197M across multiple assets.
  4. 2023-03-13 (afternoon)
    Euler team publicly acknowledges the exploit; pauses additional protocol operations.
  5. 2023-03-13 to 2023-03-15
    Euler team posts on-chain message to the attacker offering 10% bounty + non-prosecution for return of remaining funds.
  6. 2023-03-25
    Attacker initiates partial return of funds via on-chain transactions.
  7. 2023-04-04
    Attacker publicly apologises via on-chain message and returns substantial additional funds.
  8. 2023-04-12
    Cumulative returns reach approximately 80% of the original $197M; remaining funds traced to mixers and laundering services.
  9. 2023-Q3
    Euler bridge contracts permanently shut down; remaining team works on architectural redesign for future protocol versions.

Mechanism

The donateToReserves function. Euler had a `donateToReserves` function that allowed users to voluntarily transfer their position's value into the protocol's reserves (e.g., as a way to support the protocol). The function reduced the donor's position balance and increased the protocol reserves. The intended use was rare and voluntary — a goodwill mechanism.

The missing health check. The bug was that `donateToReserves` did not check whether the donor's resulting position was still adequately collateralised. A user with a borrow position could donate enough of their collateral to make their position undercollateralised — at which point the standard liquidation logic should kick in.

The self-liquidation exploitation. Euler's liquidation logic rewarded liquidators with a percentage of the collateral they liquidated. The attacker constructed a sequence: (a) flash-borrow a large amount; (b) deposit it on Euler as collateral; (c) borrow against the collateral; (d) call `donateToReserves` on the deposited collateral until the position became substantially under-collateralised; (e) self-liquidate the position — capturing the liquidation discount on what was, effectively, the attacker's own collateral. The flash-loan was repaid from the borrowed amount and the liquidation profit.

The audit-coverage gap. Euler had been audited multiple times by reputable firms before launch. The bug was not identified in any of the audits because it required a specific interaction pattern — donating to reserves while in a borrow position with the intent to self-liquidate — that audit testing methodologies don't typically cover. The class of bug ('logic interactions between functions that are each independently correct') is structurally harder to find than single-function bugs like missing-modifier or reentrancy.

The on-chain negotiation. The Euler team's post-exploit communication strategy was unusual. Within hours, the team posted public on-chain messages to the attacker's address offering specific terms: return 90% of the funds and the protocol would not pursue prosecution; refuse and law enforcement engagement would proceed. Subsequent on-chain message exchanges (visible on Etherscan as input data on small ETH transactions) established a back-and-forth negotiation that eventually produced substantial returns. The attacker's later 'apology' message was framed by some observers as a coerced de-escalation rather than genuine remorse.

Impact

The Euler exploit produced several lasting impacts. First, the specific bug class — donation-style functions that interact with collateral health checks — has been audited for explicitly in subsequent DeFi lending designs. Second, the on-chain negotiation precedent established a model for post-exploit recovery that has been replicated by other protocols (sometimes successfully, sometimes not). Third, the audit-coverage discussion that followed Euler substantially shaped the post-2023 audit-firm practice — multi-firm coverage, formal-verification, and economic-attack-vector testing are now more standardised than they were pre-Euler. The Euler case is also notable for its outcome: 80% recovery represented one of the more-successful post-exploit recovery rates in DeFi history.

Operational lessons

  1. 1Function interactions create bugs that single-function audits miss. The Euler bug was not in `donateToReserves` alone or in liquidation alone — it was in their interaction. Audit methodologies that focus on individual function correctness can miss bugs that emerge from function combinations.
  2. 2Self-interaction patterns are an underexplored attack surface. Most DeFi exploits assume an external adversary acting against the protocol. The Euler attacker was effectively acting against themselves in stages (donating to make their own position weak, then liquidating it) — a pattern that traditional security analysis doesn't naturally consider.
  3. 3Post-exploit negotiation can recover substantial funds. Euler's 80% recovery is substantially better than typical post-exploit outcomes. The combination of public on-chain communication, specific terms (10% bounty), and stated law-enforcement coordination produced returns that adversarial-only responses likely would not have.
  4. 4Flash loans are the structural amplifier for many DeFi exploits. Without flash loans, the Euler exploit would have required substantial pre-existing capital; with flash loans, the attack required only the gas cost of the transaction. Flash-loan economics make many exploit patterns viable that would otherwise be prohibitively expensive.
  5. 5Audits provide important but limited coverage. Euler's multi-audit history did not prevent the exploit. Audits should be one component of a security strategy, not the sole reliance. Formal verification, fuzzing, economic-attack modelling, and ongoing monitoring all complement audit coverage.

Aftermath

Euler Finance's original protocol was permanently retired following the exploit and recovery negotiations. The Euler team subsequently worked on architectural redesigns for future protocol versions, with substantial post-exploit reflection on how to prevent the bug class going forward. The attacker's identity has not been publicly disclosed; the on-chain negotiation produced approximately $176M in returned funds, with the remaining ~$20M traced to mixers and presumed unrecoverable. The case is widely studied in DeFi security curricula and is one of the most-cited references in current lending-protocol design discussions. Euler's recovery success rate (80%) is often cited as evidence that on-chain negotiation strategies can be effective, although critics note the outcome was favoured by the attacker's specific characteristics (apparently not part of an organised criminal group) that don't generalise to all post-exploit situations.

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Related on Block Clarity Hub

Course — Developer Intro (Exploit Walkthrough lesson)
Course — DeFi Safety Course
Case Studies — Mango Markets Exploit
Spotted an error? Report it on GitHubour correction policy