Euler returns to launch v2 modular DeFi lending protocol following 31 audits post-$197 million hack
Quick Take Euler’s v2 modular DeFi protocol has gone live, enabling developers to build customizable borrowing and lending vaults. The v2 launch marks the project’s reemergence after it was exploited for $197 million in a flash loan attack last year.
Euler EUL -4.27% has reemerged to launch a v2 modular DeFi lending protocol following the $197 million flash loan attack on the platform in March 2023.
Euler v2 went live on Wednesday following a year of “meticulous development and rigorous security audits,” the team said in a statement shared with The Block.
Unlike Euler v1, which was a DeFi lending and borrowing protocol similar to Compound and Aave, v2 has been redeveloped as a “meta-lending protocol.” It is designed to enable builders to create highly customizable borrowing and lending vaults and open up the use cases for on-chain credit, aiming to eliminate the fragmentation and capital inefficiency that Euler says has “plagued” isolated lending markets.
Euler’s return follows 31 audits from firms such as Certora, Omniscia, OtterSec, Open Zeppelin and Trail Of Bits, in addition to a $1.25 million Cantina audit competition, a $3.5 million “Capture the Flag” with Hats Finance and a bug bounty program set to roll out this week, Euler Labs CEO Michael Bentley told The Block.
How Euler v2 works
Euler v2 enables ERC-4626 vaults to be deployed permissionlessly via the Euler Vault Kit, connecting to other vaults using the Ethereum Vault Connector. ERC-4626 is a tokenized vault standard for Ethereum and other EVM-compatible blockchains, making it easier for different DeFi protocols to interact and integrate with each other.
These vaults can be designed to hold user deposits of traditional crypto tokens, tokenized real-world assets with permissioned transfer restrictions, natively-minted synthetic assets and non-fungible assets. They are also customizable, enabling vault creators to set risk/reward parameters and choose to retain governance for active risk management or allow lenders to manage their own risk.
Each vault can recognize deposits in existing vaults as collateral — a feature the team claims is unique to Euler that can be used to bootstrap liquidity in its ecosystem.
“Deposits in old vaults gain new utility when they are recognised as collateral by newer vaults. Meanwhile, new vaults gain a ready-made user base for borrowing when they accept deposits from already liquid and widely used existing vaults as collateral,” the team said.
Four vault classes are supported by Euler’s frontend interface upon launch: escrowed collateral, governed, ungoverned and yield aggregator vaults.
Escrowed collateral vaults are ungoverned, holding deposits as collateral for loans from other vaults that do not earn interest as they do not allow borrowing directly. Governed vaults, managed by a DAO, risk manager or individual, allow both collateral use and borrowing, providing additional yield to depositors. Ungoverned vaults have fixed parameters for lenders who prefer to manage their own risk. Finally, yield aggregator vaults, managed by a governor, aggregate lender assets and direct them into various ERC-4626 vaults, including external ones, optimizing risk and reward across different vault types.
Asset pricing is handled via the Euler Price Oracle System, a composable on-chain pricing system built around the IPriceOracle interface.
“This system allows us to integrate a diverse range of external pricing oracles through immutable adapters, ensuring that we get accurate and reliable price feeds for our users,” the Euler Labs CEO said.
Euler v2 allows for “free-market” liquidations, Bentley explained, with more advanced vault creators able to customize their own liquidation flows. However, it also retains Euler v1’s reverse Dutch auction liquidation mechanism as standard, popular because it offers some of the lowest liquidation bonuses in DeFi, which helps protect borrowers and maintain pool solvency, he noted.
Bentley claimed that Euler’s vaults are more capital efficient than simpler modular lending protocols, providing greater yield for depositors, reduced liquidity fragmentation and rate volatility for borrowers and a level of flexibility for builders that other platforms cannot match. “You can use Euler to build other lending protocols, but the reverse isn’t true,” he added.
Euler’s native EUL will continue to serve as the governance token for the v2, Bentley confirmed. Euler Labs is expecting to announce “substantial projects” involving vaults in the coming weeks and is also working on something new that addresses the cost challenges DeFi users face when trading across platforms, he said.
Euler’s $197 million flash loan attack and recovery
On March 13, 2023, Euler was subject to a complex attack that leveraged flash loans, causing a loss of $197 million worth of crypto assets, including staked ether, USDC and wrapped bitcoin.
Flash loans, although useful in the DeFi sector for legitimate purposes, are often exploited by attackers due to the lack of required collateral. However, these loans come with high risk, as they must be repaid within a very short timeframe.
Following the attack, Euler’s EUL token experienced a near 70% decrease in value, falling to $2.07. The token is currently trading for $5.02, according to The Block’s Euler Price Page .
To retrieve the stolen funds, Euler offered the attacker a 10% bounty worth $19.7 million, with a warning to initiate a $1 million reward for information on the attacker if the remaining 90% of the funds were not returned.
Despite initial doubts when the hacker laundered $1.8 million through the crypto mixer Tornado Cash three days after the attack, the recovery process began on March 18 with the return of $5.4 million to Euler.
Over the following days, the hacker continued returning funds at variable intervals. They returned the most significant tranche of $102 million in ether.
On March 28, the hacker sent a series of on-chain messages to Euler's address, using the input data to share them with the public. In these messages, the attacker said they were " sorry " and promised to return the remaining funds as soon as possible.
On April 3, the attacker returned the outstanding $31 million, marking a successful end to recovery efforts .
Whitehat claims a bug fix inadvertently led to the attack
In September 2023, a pseudonymous whitehat known as Kankodu claimed they submitted a bug bounty report that introduced a specific vulnerability on Euler, subsequently resulting in the hack.
Kankodu said they had identified the Euler “first deposit bug” in July 2022 — a separate issue from the March incident — and were awarded $50,000 for the discovery.
However, the fix to this bug introduced an additional function to Euler’s code, “donateToReserves,” intended to bolster reserves, which unintentionally created the larger vulnerability that was exploited in the $197 million attack, Kankodu said.
'Significant safeguards' promised in v2
Given the magnitude of the v1 exploit, Euler could find it challenging to attract users to the v2. However, Euler Labs remains confident of doing so, having put “significant safeguards” in place to prevent a similar attack.
“We’re deeply focused on security and have reimagined the lending space with the best technology available. Our approach has been to collaborate closely with vault creators to ensure that Euler v2 not only addresses past challenges but also sets a new standard in DeFi lending,” Bentley said.
“Certora's formal verification has successfully proven the ‘Holy Grail’ property for the Euler v2 Vault, ensuring that accounts stay healthy under all conditions. This robust approach would have prevented the Euler v1 vulnerability, providing strong assurance for the security-first Euler v2,” he added.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Vitalik Buterin urges Web3 wallets to improve security, privacy
Fan tokens offer stability — NFTs have not
Safe’s Safenet wants to bring Visa-like payments network to crypto