Security Research

Detecting a $197 Million Hack Before Exploitation: Euler Finance Hack Retrospective

April 6, 2023

Forta’s monitoring was effective in detecting the largest attack of 2023 in advance, before $197 million were drained. Despite Euler Finance taking all the necessary precautions, including six audits and a bug bounty program, the protocol was still vulnerable to attacks, which reinforces the need for real-time threat detection. This blog will describe how Forta detected and alerted of this attack before exploitation. 

Before exploitation, three critical Forta alerts were raised. On March 13th at 8:43 AM UTC, the attacker funded their attack just 10 minutes before exploitation and deployed their contract two minutes before exploitation. Both events were flagged in real-time by Forta via the Tornado Cash bot and the machine learning based Malicious Contract bot. Forta’s Malicious Contract bot is a unique breakthrough in threat detection, able to detect hacks before they happen by leveraging machine learning to dissect every deployed smart contract’s opcode in search of malicious patterns.

Forta’s Attack Detector V3 fired an early warning sign three minutes before the attack based on unique new logic focused on early attack stages. 15 minutes after exploitation,BlockSec's Attack Detector fired another critical alert.

Automated victim identification is important even before exploitation happens. Forta’s victim identification bot successfully triggered before the attack, automatically identifying Euler Finance as victim and relayed the information to the latest version of the Forta’s Attack Detector, which surfaced appropriate victim information.

Most perceive hacks in Web3 as atomic, that is in an instant, the attack is carried out and funds are lost forever with no time to respond. In this case and in most hacks, the attack takes place over minutes or hours, on a clearly defined stage-by-stage basis. This should inspire hope, as each stage creates an opportunity for intervention by future emergency response mechanisms. Sadly in this case, the attack still happened too fast for the standard manual response of a multisig to pausing the contract.

In the future, positive reputation systems, circuit breakers, and other automated systems will need to be built based on monitoring systems to prevent these types of hacks. Had Euler implemented any type of emergency shutoff valve triggered by Forta alerts, the attack could have been mitigated or potentially completely prevented. In the meantime, monitor your contracts with the Attack Detector to receive critical early warning signs and protect your protocol.

Share