- Euler CEO tells DL News how the DeFi protocol rebounded from near-death experience.
- 'When you build systems like this, fragilities do get exposed.'
Transactions are irreversible.
The code is public.
It’s little wonder hackers find DeFi protocols among the most vulnerable and lucrative targets. And most protocols that succumb to an attack eventually die.
And yet, exactly two years after suffering a catastrophic, $197 million hack, Euler Finance, a decentralised lending protocol, has staged a remarkable comeback.
Crypto deposited in the protocol recently hit an all-time high in dollar terms, and now stands at $387 million. That figure does not include borrowed coins, which would raise the measure of its crypto deposits to $693 million.
Among the largest 100 protocols in DeFi, only three have grown more quickly over the past month.
Only four have grown more quickly in the past week, when the value of deposits in Euler grew 6%, even as crypto markets crashed amid fears of a recession in the US.
‘I wanted to prove to myself that I could exploit something in DeFi as a hacker.’
— Euler hacker
Even so, Euler Labs CEO Michael Bentley remains nervous about protocol security.
“I don’t think we’d be human if we didn’t feel that,” he told DL News in an exclusive interview.
“It’s DeFi and you know that you’re working in the most hostile environment possible for building an application.”
Euler’s comeback is the result of one of the most eye-opening post-hack recovery efforts in the industry’s history.
It’s also the result of a bet that has paid off: the decision to focus on a new version of the protocol after the hack, even if it meant largely disappearing from the public eye for more than a year.
The hack
Euler Labs was founded in 2020, and its first product, the Euler protocol, was launched in December 2021.
But on the morning of March 13, 2023, just days after Bentley’s wife gave birth to their second child, Euler was being drained.
A hacker had managed to exploit Euler based on a vulnerability found in a single line of code — a line that had been written, audited, and then deployed in July 2022 in order to fix a less consequential bug.
The hacker ultimately stole $197 million, and quickly converted the crypto to Ether and DAI, a dollar-pegged stablecoin.
The Euler team, as well as the community of crypto security experts, raced to identify the hacker and to negotiate the return of funds.
In a later interview with DL News, a 20-year-old Argentinian man claiming to be the hacker said he’d reviewed about 20 projects before he exploited Euler.
“I wanted to prove to myself that I could exploit something in DeFi as a hacker,” he told DL News.
Recovery took a maddening three weeks in which the hacker sent some crypto to North Korea, some to a purported Euler user who said they’d lost their life savings in the hack, some to an anonymity service popular with cybercriminals, and some to various wallets under their control.
The hacker began returning the crypto in earnest on March 25, when they sent Euler $90 million in Ether — about half their haul.
By March 28, 84% of the stolen crypto had been recovered.
In a message to Bentley, the hacker asked for forgiveness for the damage he’d done to Euler’s reputation and for the time he’d taken from a new father.
By April 3, the hacker had returned “all of the recoverable funds,” Euler said at the time.
And because they had converted most of the stolen crypto into Ether — which appreciated during the intervening weeks — Euler was able to recover $240 million after a $197 million hack.
Euler’s second coming
The fallout from the hack took about three months to resolve, according to Bentley.
In the immediate wake of the hack, some employees had to be laid off, and others left voluntarily. Among those who remained, venture capital money paid their salaries, the CEO said.
‘It’s DeFi and you know that you’re working in the most hostile environment possible for building an application.'
— Michael Bentley, Euler
Bentley and his colleagues briefly considered re-launching a patched version of the original protocol.
Ultimately, they decided instead to pursue the next iteration of Euler instead. At an offsite in Spain in the summer of 2023, the team fleshed out several ideas they had discussed before the hack.
“We essentially, for a week, sat around the table and thrashed out what would become v2,” Bentley said, “whilst, you know, kind of healing together a little bit and trading war stories and just chatting about life in general and trying to make sense of it all.”
They had finished by February 2024, after more than six months of work.
The first version of Euler had undergone six audits; perhaps scarred by their experience almost a year earlier, the team spent the seven months after they’d finished v2 focusing on security, Bentley said, spending millions on 45 audits conducted by 13 security firms.
Euler re-launched in September. The protocol was unlike the simple lending-and-borrowing product that had preceded it.
“We wanted to abstract the principles of lending and borrowing and then package them up into a modular developers kit, where developers themselves could then recreate something like Euler v1,” Bentley told DL News.
“They could recreate their own credit lending and borrowing platform, essentially in their own vision to cater to low-risk individuals or high-risk individuals, or people in the middle, people that want to trade volatile assets, or people more interested in stablecoins.”
Euler’s next act
It entered an incredibly competitive market.
Lending in DeFi is dominated by Aave, the second-largest protocol with almost $17 billion in user deposits as of Monday. (Aave’s deposits top $27 billion when counting borrowed tokens.)
And in lending, size matters, making it difficult for an upstart to attract customers.
“Most of the yield goes to places with existing liquidity, and so you end up with this very big positive feedback loop, and moats can quickly emerge,” Bentley said.
He takes DeFi’s vulnerabilities in stride.
“It’s very easy to focus on the bad elements,” he said.
“But I am a firm believer, and I’ve kind of been unwavering in this, I suppose, that ultimately, when you build systems like this, any fragilities do get exposed,” he said.
“And that’s awful when it happens, but what it does do is it exposes how the fragilities emerge, and it leads to a more robust system in the long run.”
Aleks Gilbert is DL News’ DeFi Correspondent based in New York. You can contact him at aleks@dlnews.com.