Fixing a vulnerability in Euler Finance’s DeFi protocol resulted in another error. In March, it was used by an unknown person to attack $ 200 million, said a white hacker under the nickname Kankodu.
“Fixing the bug that I disclosed ended up introducing the function responsible for the hack,” the expert wrote.
According to him, in June 2022, he informed the developers of the protocol about the “error of the first deposit”. The lending protocol allows users to lend assets in exchange for eTokens at an exchange rate. The vulnerability discovered by Kankodu made it possible to artificially inflate quotes and withdraw all coins.
The Euler Finance team paid him a reward of $50,000. In the rating of white hackers on the Immunefi bounty platform, the expert ranks 17th with 28 paid reports and an income of $688,840.
To fix the vulnerability, the developers of the DeFi project made changes to the protocol so that all new eTokens are initialized with a total collateral plus 1 million wei. This replicated the Uniswap v2 approach and made the attack uneconomical, Kankodu noted.
For existing coins with reserves of more than 1 million wei, there was no need to take any action. For another case, the developers have implemented the donateToReserves function, designed to increase the provision above 1 million wei. It was it, in combination with the Euler Finance liquidation mechanism, that the attacker used to attack the protocol, the expert said.
“This serves as a costly lesson, as even small bug fixes have the same level of importance as major updates like a new version of the protocol,” Kankodu said.
Recall that the hacker Euler Finance returned almost the entire stolen amount to the project, leaving himself about $ 19 million as an agreed reward.
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!