Contagion from the March 13 flash loan attack against Euler has spread far and wide, resulting in frozen or lost funds for 11 different decentralized finance (DeFi) protocols, according to reports from each of them on Twitter. Balancer, an Ethereum protocol with over $1 billion total value locked (TVL), is among the affected protocols. Below is a rundown of the major exploits and what we know so far.
Balancer reported on March 13 that the Euler Boosted USD (bb-e-USD) pool had been affected by the exploit. Approximately $11.9 million worth of tokens from this pool were sent to Euler during the exploit. The Balancer emergency subDAO reacted by pausing the pool and putting it into recovery mode. However, over 65% of the pool’s TVL had already been lost by the time it was paused.
At 10:00 UTC Balancer contributors became aware of an exploit on Euler. It was determined the best course of action was to pause and put into recovery mode bbeUSD (Euler Boosted USD) and all pools containing bbeUSD. This was executed by the emergency subDAO at 11:00 UTC.— Balancer (@Balancer) March 13, 2023
As a result of a bug in the app’s user interface (UI), liquidity providers cannot retrieve the remaining funds left in the pool. However, a new UI will be offered “in the near future” that will allow the remaining funds to be withdrawn, Balancer said. No other pools have been affected, Balancer clarified.
Angle Protocol released a preliminary report on its exposure to the attack. It may have lost over $17 million worth of USD Coin (USDC). This may have caused the agEUR stablecoin, which is pegged to the euro, to become undercollateralized. The team is still investigating and attempting to prepare a detailed balance sheet. All minting and redemption of agEUR is currently paused, but borrowers can still repay their debts to the protocol as normal, the team said.
Idle Finance has provided a detailed list of its losses due to the Euler exploit. It seems to have lost around $5.9 million worth of tokens in total, based on March 13 Ether (ETH) and euro prices. The team has paused all Best Yield vaults and Yield Tranches related to Euler to prevent further losses.
Yearn.finance has over $423 million in TVL, according to DefiLlama. It reported indirect exposure to Euler, through Angle Protocol and Idle Finance. It has lost approximately $1.38 million. However, the team said that any bad debt not covered by Idle and Angle would be covered by the Yearn Treasury.
Yield Protocol is another protocol affected by the exploit. Its "mainnet liquidity pools are built on Euler," according to the team's announcement regarding the attack. The company has disabled the mainnet app, paused borrowing, and is investigating the attack. Its mainnet liquidity pools appear to have been affected, with a possible loss of “less than $1.5 million.”
The Euler hack has affected our mainnet liquidity pools. Yield liquidity pools hold two assets: Euler eTokens and Yield fyTokens. We do not yet have accurate figures for the value of the eTokens held before the attack but believe the total value to be less than $1.5 million USD.— Yield Protocol (@yield) March 13, 2023
InverseFinance reported that it was hit as well, with its DOLA Fed for the DOLA-bb-e-USD on Balancer losing over $860,000. The team said it is communicating with Balancer in an attempt to get these funds returned to depositors.
Related: Euler Finance hacked for over $195M in a flash loan attack
SwissBorg reported that “a small portion of [its] Smart Yield Program was impacted” by the exploit. However, “the extent of the damage is minimal thanks to our Risk Management Procedure.” The team said that it would compensate all losses from its funds, and its users “will not suffer any loss from this event.”
In a Telegram conversation with Cointelegraph, SwissBorg founder Cyrus Fazel clarified that the protocol ranks yield strategies based on risk, time, and APY. Since Euler was rated Risk 2- Adventurous, SwissBorg users “had a limited amount” invested in Euler. This mitigated against losses to the protocol, he explained.
Other affected protocols
Opyn, Mean, Sense and Harvest also reported they might have been affected by the exploit, though none have provided details on how much has been lost. This brings the total number of affected protocols to 11, with $37.6 million in cumulative losses.
Euler Finance is a crypto borrowing and lending protocol that runs on Ethereum. It became popular thanks in part to its support for using liquid staking derivatives (LSDs) such as Coinbase Staked ETH (cbETH) or Lido Staked ETH (stETH) as collateral for loans. On March 8, Euler had over $311 million in crypto locked inside its smart contracts. Since the exploit, its TVL has fallen to $10.37 million.
This story was corrected at 2.11 am UTC on March 14 to reflect that the flash loan attack occurred on March 13.