Before a $196 million attack, Euler Finance, an Ethereum-based lending system, was determined to be "nothing more than low risk" in ten separate audits conducted over a two-year period.
Following Euler's $196 million flash loan attack on March 13, CEO of Euler Laboratories Michael Bentley described the "hardest days" of his life on March 17. He retweeted a user who said that six separate firms have conducted 10 audits of Euler, and he added that the website "has always been a security-minded initiative."
Blockchain security companies such Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica audited Euler Financial's smart contracts from May 2021 until September 2022. With risk levels ranging from extremely low and informational to critical, Halborn evaluated its risk assessment by evaluating the "likelihood of a security occurrence" and its possible impact; Euler received "nothing greater than low risk."
In December 2022, Halborn's audit reported that it had found "an overall satisfactory outcome" after "examining and studying" 23 smart contracts over the course of a month, noting just "two low risks and three informational" issues. Euler claims that after analyzing Halborn's insurance, it determined that the risks "present no substantial hazards."
The basic swapper implementation of Euler was changed to address several "incorrect paradigms" and how the swap mode was "managed by the software" by Omnisica, a blockchain security company. Euler claimed in the report that these issues had been "fully dealt with" and that "no unresolved issues" remained. On March 16, just hours after Euler offered a $1 million reward for information leading to the hacker's capture, the protocol's hacker started transferring money using the cryptocurrency mixer Tornado Cash.
In a recent Twitter thread, Bentley alleged that the breach forced him to "sacrifice time" with his newborn child and that he will never "forgive the attacker," but he also applauded security experts who are "working on leads" for the investigation. Euler sent out a warning with just 24 hours left before the bounty, threatening to launch one "that leads to your jail and the return of all monies" if 90% of the money wasn't returned in that time.