Blog / Crypto World / Euler Finance Saga

The Euler Finance Saga

May 10, 2023
3 min read

This blog post will cover:

  • What happened?
  • What happened after?
  • Conclusion

In March 2023, almost $200 mln worth of assets were stolen from Euler Finance, a permissionless lending protocol. Although this is not a typical crime story, it has a redemption arc, where the cybercriminal regrets the actions and gives the crypto back to the rightful owners.

What happened?

The Euler platform provides liquid staking derivatives. This means users can increase profits by unlocking liquidity for staked cryptocurrencies.

On March 13, 2023, the protocol fell victim to a flash loan attack. Consequently, the cybercriminal took $196 million in DAI, USDC, and other cryptocurrencies.

A number of transactions were made, resulting in the biggest exploit of 2023 so far. The perpetrator used a multichain bridge as well as Tornado Cash, a crypto mixer.

Blockchain security experts have determined that the hacker utilized flash loans in the exploit to deposit funds. Apparently, it became achievable due to a vulnerability in one of the protocol's smart contracts.

What happened after?

The crypto firm urged the cybercriminal to return all the stolen crypto, they also promised to pay $1 mln for the information about the criminal on March, 15.

After 5 days, the events suddenly took a strange turn: the hacker offered the crypto firm to come to an agreement stating that they do not intend to keep the funds that belonged to anyone else.

The hacker, who introduced themselves as Jacob through the messages accompanying the transactions, returned all the funds that could be recovered on March, 25-28. The returned assets accounted for $177.7 mln. What's even more interesting, prior to that some of the funds were sent back directly to the user who said on Twitter that he lost his life savings because of the exploit. The attacker also apologized for “messing up” with people’s lives and assets even though it somehow was not their intention.

On April 4, 2023, Euler Finance posted on Twitter that the funds were indeed recovered.

They also canceled the $1 mln bounty and stopped trying to identify the person or the group anymore.


This story had a happy ending which is quite surprising given most of the time the stolen assets disappear completely. The circumstances are very mysterious though: it is hard to believe that the person or people responsible for the attack were not aware that such actions could harm someone. Maybe they found out their identification was possible, and decided to return the money in the face of likely prosecution. Either way, let's hope that the protocol learned from their mistakes and will not let something like this happen again.

Don’t miss our new articles!


Share on: