Unfortunate news
@eulerfinance, a Sherlock protocol customer, was hacked earlier today for ~$200M.
Sherlock verified the root cause, helped Euler submit a claim, held a vote on the claim for $4.5M (which passed), and executed $3.3M of the payout today.
etherscan.io
@eulerfinance, a Sherlock protocol customer, was hacked earlier today for ~$200M.
Sherlock verified the root cause, helped Euler submit a claim, held a vote on the claim for $4.5M (which passed), and executed $3.3M of the payout today.
etherscan.io
Euler has been one of Sherlock's earliest customers. Sherlock has seen that Euler is one of those special teams that goes above and beyond when it comes to security.
Sherlock will do everything in its power to support Euler as they recover.
Sherlock will do everything in its power to support Euler as they recover.
Similarly, Sherlock stands behind every auditor who reviewed Euler.
Sherlock initially worked with @cmichelio to audit the first version of Euler in Dec 2021, then with @shw9453 to audit a very small update in Jan 2022, and finally with @WatchPug_ to audit EIP-14 in July 2022.
Sherlock initially worked with @cmichelio to audit the first version of Euler in Dec 2021, then with @shw9453 to audit a very small update in Jan 2022, and finally with @WatchPug_ to audit EIP-14 in July 2022.
Based on WatchPug's post-mortem, a major factor for the exploit was a missing health check in donateToReserves(), a new function added in EIP-14.
But it's important to note this attack was still technically possible even before the existence of EIP-14.
hacknote.co
But it's important to note this attack was still technically possible even before the existence of EIP-14.
hacknote.co
Sherlock is grateful to work with talented auditors like those above. These are the folks who are putting their reputations on the line to move crypto forward.
Chris Michel is the #1 ranked individual auditor all-time, and WatchPug is ranked #2 all-time. Security is hard.
Chris Michel is the #1 ranked individual auditor all-time, and WatchPug is ranked #2 all-time. Security is hard.
In addition, Sherlock paid for a $500k bug bounty program for critical vulnerabilities on Euler (only decreased from $1M due to low bear market liquidity).
But unfortunately, the hacker chose not to take this route.
But unfortunately, the hacker chose not to take this route.
In August 2022, a month after WatchPug's audit of Euler, Sherlock learned the hard way that a single talented auditor (Trail of Bits this time) can miss critical vulnerabilities:
mirror.xyz
This inspired Sherlock's move to audit contests:
docs.sherlock.xyz
mirror.xyz
This inspired Sherlock's move to audit contests:
docs.sherlock.xyz
mirror.xyz/0xE400820f3D60…
Sherlock Yield Strategy Bug Bounty Post-Mortem
Sherlock's EulerStrategy.balanceOf() (which uses the result of the balanceOfUnderlying() call on Eul...
docs.sherlock.xyz/audits/protoco…
Protocol Teams
Security is a top priority for high-quality projects shipping code to mainnet given the inherent adv...
Unfortunately, the security auditing for Euler was done before Sherlock's contest model had launched, meaning only a few talented eyes reviewed the codebase, instead of 100-200 as is typical for current Sherlock audit contests.
It's a painful lesson for everyone involved.
It's a painful lesson for everyone involved.
Sherlock has expressed condolences to Euler for this situation, and Sherlock certainly should not escape criticism for this regrettable event.
Sherlock maintains that Euler is one of those special teams that puts security first, so it is disheartening to see this outcome.
Sherlock maintains that Euler is one of those special teams that puts security first, so it is disheartening to see this outcome.
Unfortunately, the millions paid back by Sherlock pale in comparison to the size of the hack.
But, on a brighter note, today is the first time in crypto's history that an auditor has paid back millions of $ for a missed vulnerability.
But, on a brighter note, today is the first time in crypto's history that an auditor has paid back millions of $ for a missed vulnerability.
Sherlock will continue to pursue the bleeding edge of smart contract audits and coverage by focusing on innovations like hybrid audit contests and protocol-to-protocol coverage.
After this weekend, it's clear that DeFi is the future. Sherlock and Euler will continue building it.
After this weekend, it's clear that DeFi is the future. Sherlock and Euler will continue building it.
جاري تحميل الاقتراحات...