On March 13, 2023, Euler Finance, a permissionless borrowing and lending protocol on Ethereum, was the victim of a flash loan attack. At a whopping near-$200 million loss, hackers stole funds in USDC, wrapped Bitcoin (wBTC), staked Ether (stETH), and DAI, an algorithmic stablecoin maintained by MakerDAO. The hack was made possible by a liquidity issue in the DonateToReserve function of the eToken. This function was properly burning eTokens, but not dTokens, leading to an incorrect conversion of borrowed assets to collateralized assets. Euler’s hacker took advantage of these inconsistencies to create a false impression that the platform had a low amount of deposited eTokens and fake debt due to the fact that the dTokens were not burned.
On Monday, the hacker behind last week’s nearly $200 million attack on Euler Finance sent a message to an Ethereum address linked to the DeFi platform, offering to begin a dialogue after Euler issued an on-chain ultimatum demanding the return of the funds.
“We want to make this easy on all those affected. No intention of keeping what is not ours,” the message embedded in an Ethereum transaction read. “Setting up secure communication. Let us come to an agreement.”
On March 13, the DeFi platform for borrowing and lending cryptocurrencies suffered an attack using a flash loan exploit that drained approximately $196.9 million worth of various cryptocurrencies. That tally included $8.7 million in DAI stablecoin, $18.5 million in Wrapped Bitcoin (WBTC), $135.8 million worth of Staked Ethereum (stETH), and another $33.8 million in Circle’s USDC stablecoin.
Days after the attack, Euler Finance sent an on-chain message offering the hacker a deal to keep 10% of the $200 million stolen if they returned the remainder within 24 hours. When that did not happen, Euler Finance publicly announced a $1 million reward for information leading to the hacker’s arrest and the return of all funds.
Ronin Bridge Hacker Tries to Phish Euler Hacker on-chain
The Euler Finance exploiter, which held $200 million in stolen funds in its wallet, received an on-chain note on Tuesday from a wallet address linked with the Ronin Bridge attackers, known as the North Korean hacker group Lazarus.
The note includes an encrypted message with the sender asking the Euler’s exploiter to decrypt the message with the private keys. Experts believe it is an attempt to trap the Euler’s hacker in a phishing scheme to drain stolen funds from its wallet by stealing the login credentials.
Cross-chain Web3 platform Poolz Finance (POOLZ) lost $390,000 to a hacking incident on Mar. 16
The attacker first exchanged MNZ tokens through PancakeSwap. The attacker then called the CreateMassPools function, which was the main issue in the attack.
The normal function is that users can create pools in batches, provide initial liquidity, and then create the pools using the CreatePool function, which records the pool attributes using a mapping. The issue arose with the getArraySum function controlling the amount in TransferInToken, which was used to establish liquidity in the pool.
The issue was with the getArraySum function, which iterates through the startamount array and accumulates its values. By looking at the call stack, it was found that the array sum exceeded uint256, which caused the function to return 1. However, the CreatePool function still used startamount to record the pool attributes, which allowed the attacker to deposit only 1 token, but with an extremely large startamount value.
The attacker then called withdraw to complete the attack and profit from the exploit.
The root cause of this attack was an arithmetic overflow. To prevent this issue, it is recommended to use the higher version of Solidity that performs overflow checks during compilation, or to use the OpenZeppelin SafeMath library in lower versions of Solidity to prevent integer overflow.
General Bytes experienced a security incident on March 17 and 18 that enabled a hacker to remotely access the master service interface and send funds from hot wallets, according to the company and sources. The breach forced a majority of U.S.-based crypto automated teller machine (ATM) operators to temporarily shut down. The hacker was able to liquidate 56.28 bitcoins, worth approximately $1.5 million, from about 15 to 20 crypto ATM operators nationwide.
The largest cryptocurrency automated teller machine (ATM) manufacturer, General Bytes, has produced 9,505 such machines globally, with thousands located in the United States. On Saturday, March 18, the company informed the public of a serious security incident that occurred on March 17 as well.
“We released a statement urging customers to take immediate action to protect their personal information,” the company explained at 4:42 p.m. (ET) on Saturday. “We urge all our customers to take immediate action to protect their funds and personal information and carefully read the security bulletin,” the firm added.
General Bytes’ security bulletin said the attacker was able to remotely upload their own Java application using the master service interface, which is typically used by terminals to upload videos. The attacker had access to BATM user privileges and was also able to access the database, read and decrypt API keys used to access funds in hot wallets and exchanges. In addition, the hacker could download usernames, access their password hashes, turn off 2FA, and send funds from hot wallets.
Bitcoin.com News spoke with a U.S.-based cryptocurrency automated teller machine (ATM) operator who confirmed that all U.S. operators using General Bytes machines were shut down nationwide for the evening. The operator also mentioned that servers would have to be rebuilt from the ground up, which can be a lengthy process.
Reportedly, General Bytes is transitioning crypto ATM operators to self-hosted servers. In the security bulletin, General Bytes stated that the company is discontinuing its cloud service. Furthermore, the firm explained that it had conducted multiple security audits since 2021, and none of them had identified this vulnerability.