The audit fix that became Euler's $197M vulnerability

Every DeFi founder counting audits as a safety signal has Euler v1’s exact security setup. Nine audits, $197M stolen in eight minutes.

The function responsible was introduced to fix a previous audit finding and reviewed by exactly one of those nine auditors.

How It Worked

Euler v1 was a monolith. One shared state across the protocol: collateral, debt, reserves, all coupled.

donateToReserves() let users deposit eTokens, the protocol’s internal collateral tokens, directly into the reserve. An auditor had flagged a first-depositor exchange-rate manipulation bug in an earlier version. This function was the fix.

It had one check: confirm the wallet holds enough eTokens to donate. That check was not wrong. The function simply never verified what the position looked like after the donation.

The attacker flash-loaned a large sum into Euler, minted eTokens as self-collateral, then donated those eTokens to the reserve. Collateral dropped to near zero while debt stayed. Euler’s health system saw an undercollateralized position and triggered liquidation. The attacker liquidated their own position, collected the bonus, and left with $197M across six tokens.

The oracle was accurate throughout. Every module executed exactly to spec. The exploit lived in the gap between functions that each individually passed every check.

The Numbers

$197M in one transaction sequence. March 13, 2023. USDC, DAI, WBTC, stETH, USDT, WETH.

The attacker transferred 100 ETH to Tornado Cash within two hours, then went quiet. Most protocols at this point would have been reduced to public pleas.

Euler’s team sent an on-chain message the same day. Day 3: a pre-authorized offer. Return 90% to the DAO treasury and all legal action stops.

Someone on the team had authority to make that offer before the lawyers arrived, before the forum posts, before the community calls. That authority was the difference.

By April 3, 2023, $240M had come back. ETH had appreciated during the 21-day negotiation, pushing the total recovery above the original theft.

The Recovery Playbook

Three decisions shaped the outcome and none of them appear in a standard incident response checklist.

First: strict communications blackout. The team enforced silence on every channel except for strategic on-chain messages, starving the attacker of any signal about whether they had been identified.

Second: a $1M bounty within 24 hours. Third: neutral, firm on-chain messages without flattery, without begging.

The Lazarus Group attempted to intercept the funds mid-negotiation. The Euler team detected the attempt and warned the attacker directly, over email. He trusted the warning and ignored the intercept. That trust was built through 15 days of consistent, non-manipulative communication.

The attacker, who identified himself as “Jacob,” sent a message on day 15: “I fucked up. I’m sorry.” He returned everything over the following days.

The total recovery, including ETH appreciation, came to $240M. It is the largest successful exploit recovery in DeFi history.

What v2 Changed

The v1 architecture made the exploit possible. v2 addresses it at the design level, not the audit level.

The Euler Vault Kit deploys isolated lending vaults, each holding a single asset. There is no protocol-wide reserve to donate into. The operation that triggered the v1 exploit cannot be expressed in the v2 architecture.

The Ethereum Vault Connector allows vaults to use each other’s assets as collateral, but every connection is explicit and isolated. Cross-vault interactions are opt-in at the vault level, not implicit in a shared state machine.

Certora formally proved the health invariant holds under all conditions in v2. An audit certifies that code correctly implements its specification. Formal verification proves a specific property cannot be violated under any sequence of operations a user could execute. The v1 vulnerability was introduced by a correctly implemented spec. Formal verification would have flagged it.

v2 launched with 31 audits from multiple firms and a $1.25M Cantina audit competition. It now carries 45 audits from 13 firms and a $5M bug bounty, the second-largest in DeFi lending. Adding more audits to the same monolithic design would not have helped. The architecture was rebuilt so the dangerous pattern cannot be expressed.

What This Means for Allocators

Audit count is not coverage depth. Ask two questions instead.

What percentage of the codebase has formal invariant verification, not just human review? And when new functions are added after the initial audit scope is set, do they go through a full re-audit or stay out of scope by default?

Those are the two questions donateToReserves would have failed. It was introduced post-scope. It was reviewed once. Eight auditors came after and never touched it.

What This Means for Builders

The Euler team recovered $240M because someone had pre-authorized negotiating authority before they needed it.

A governance vote cannot close a 72-hour window. Lazarus Group moves in the first day. Anonymous attackers get nervous after 48 hours. The window is real, and it closes on a schedule that has nothing to do with your forum post cycle.

Before you launch: decide who negotiates, what they can offer without a governance vote, and what the escalation path is if the attacker goes dark after day 3. Write it down. Store it somewhere the team can access at 3am.

If the plan is to post on Discord and wait for a community vote, the window is already gone by the time the thread is trending.

What to Watch

Euler v2 TVL sits at $526M. Aave is at $24B. Morpho is at $7B. The protocol recovered its reputation before it recovered its TVL.

The Usual Stability Loan deployed $170M via the Euler Vault Kit in three weeks. Builder adoption is the leading indicator for depositor trust in a post-exploit relaunch. Watch that deployment: if it holds and grows as Usual’s incentives mature, the architecture thesis is validating in real capital. If it exits when the incentives end, the trust gap is still the binding constraint.

When v2 TVL crosses $1B, the recovery narrative becomes something a founder can cite in an LP deck without a footnote.

The function that stole $197M was introduced specifically to make the protocol safer. It worked exactly as written. The spec was the problem, and eight of nine auditors never read the spec for that function.

GAM Analysis is independent DeFi protocol research by @galbortam. If someone forwarded this to you, subscribe here.

Building a DeFi protocol? I do independent smart contract + economic reviews. Tell me what you’re building.