Euler Finance exploiter linked to Ronin hack

The infamous North Korean hacker collective Lazarus Group was behind the $625 million Ronin bridge crypto heist in March 2022.

Hacker sitting on top of crypto tokens, generated by Midjourney.

The blockchain-tracking Twitter account Lookonchain was the first to report that Euler Finance exploiter transferred 100 ETH (around $175,000 at the time of writing) to the wallet linked to Axie Infinity’s Ronin bridge hacker.

As the analysts pointed out, it’s unclear whether the transaction showed that the two exploiters are connected or if the transfer was intentional. Some users suggested that the move may be a psyops, trolling, or even a cartel fight.

For now, at least one thing is certain — there’s no reliable evidence that Lazarus Group is behind the attack on Euler Finance. And given the fact that Euler exploiter first moved stolen funds into sanctioned crypto mixer Tornado Cash through an intermediary address and then sent a direct transaction to the Ronin exploiter, the whole thing seems indeed suspicious.

In March 2022, Ronin bridge fell victim to one of the biggest DeFi hacks to date when Lazarus hackers gained access to five out of nine validator private keys, draining $650 million worth of Ether and USDC tokens.

Following the Ronin heist, the US Treasury Department added the wallets linked to Lazarus Group to its specially designated nationals (SDN) list, warning crypto exchanges’ compliance teams against interacting with these addresses. In January, Lazarus was also confirmed by the FBI as the culprit behind the $100 million Harmony bridge hack.

The activity of North Korean hackers was cited as a rationale for the Treasury’s crackdown on Tornado Cash, a crypto mixer that was put on the SDN list in August. Under the sanctions, US residents are no legally longer allowed to use the service and can face up to 30 years in prison for doing so. Still, the promise of jail time doesn’t seem to deter malicious actors from using the mixer — although its frontend was disabled, which makes it trickier to use for the less crypto-savvy users, hackers can use Tornado Cash any time since its smart contracts can run indefinitely on the Ethereum blockchain.

Read also: SpankChain’s Soleimani hints comeback of Tornado Cash mixer

On March 13, decentralized lender Euler Finance saw nearly $200 million drained from its platform, which makes it so far the largest DeFi exploit of the year 2023. Interestingly, the attack on the protocol wasn’t exactly a “hack” in a sense that it exploited a vulnerability in code, but rather a manipulation of its markets via a so-called flash loan attack, similar to the one orchestrated by Mango Markets exploiter Avraham Eisenberg.

In DeFi, a flash loan is type of a loan that doesn’t require posting collateral but must be returned within one transaction block, or else the entire transaction is reversed. According to Chainalysis blog post, the attacker first borrowed around $30 million in DAI flash loan from Aave.

“After this, the hacker deposited $20 million of that DAI into Euler’s platform, receiving a similar amount in eDAI tokens. By leveraging Euler’s borrowing capabilities, the hacker was able to borrow 10 times the original deposited amount,” explained the blockchain analysis firm.

“The hacker then used the remaining $10 million in DAI from the original loan to repay part of the acquired debt (dDAI) and reused the mint function to borrow again until the flash loan was closed. After the hack was complete, the hacker moved some of the funds back to Tornado Cash,” the experts added.

As the exploit unfolded, Euler users rushed to beg the hacker for a refund — but only one of them received their savings back. The user, identified by DL News as Solidity developer Santiago Sanchez Avalos, got 100 ETH from Euler exploiter, which is 22 ETH extra than Avalos initially requested.

“Please consider returning 90%/80%. I’m just a user that only had 78 wstETH as my life savings deposited into Euler, I’m not whale or millionaire,” Avalos wrote in his on-chain message to the hacker. “You can’t imagine the mess I’m into right now, completely destroyed. I’m pretty sure 20M is already life changing for you and you’ll bring back joy to a lot of affected people.”

Such an act of sudden generosity sparked suspicions that Avalos himself might be the hacker — but the lucky user firmly denied all accusations and suggested that the blackhat “was probably moved by my message.”