Euler Finance Attacker Transferred 100 ETH to Ronin Bridge Attacker- Coincidence or Connection?

While decentralized finance (DeFi) protocols have revolutionized the way we think about traditional finance, there’s no denying that security is a top priority. Despite the tireless efforts of developers and exchanges, it seems like there’s always a hacker lurking in the shadows, ready to strike. It has recently come to light that the individual responsible for the Euler Finance exploit has transferred 100 ETH to an address linked to the Ronin Bridge exploit. 

Possible Link Found in Euler Finance and Ronin Bridge Hacks

A puzzling interaction has been observed between the addresses involved in the recent Euler DeFi protocol exploit and the Ronin network hack of Axie Infinity last year. On-chain data, initially discovered by Look on Chain, reveals that the individual responsible for the Euler Finance exploit transferred 100 Ether (equivalent to $170,515) to a wallet linked to the Lazarus Group’s Ronin network hack.

Based on on-chain data, the exploiter has conducted multiple transactions and has managed to steal close to $196 million. This attack has now become the biggest hack of 2023. 

Euler Finance Exploiter transferred 100 $ETH to Ronin Bridge Exploiter(stole 173,600 $ETH and 25.5M $USDC).

Ronin Bridge Exploiter was listed by #OFAC as Lazarus Group – the North Korean state hacking group.

Are the two hackers the same person or was it intentional? pic.twitter.com/aPzOkSlXb6

— Lookonchain (@lookonchain) March 17, 2023

It remains uncertain whether or not the Lazarus Group is responsible for the attack or if there is any connection between them and the individual who exploited Euler Finance. 

In April 2022, the U.S. Department of the Treasury designated Lazarus Group as a listed entity. Earlier in January, the Federal Bureau of Investigation (FBI) had implicated Lazarus Group and fellow North Korean hacking group APT38 in the theft of $100 million worth of cryptocurrency from Horizon Bridge.

Euler Finance Hacked Despite 10 Audits 

Despite undergoing ten separate audits spanning over two years, the Ethereum-based lending protocol Euler Finance was labeled as “low risk” and found to have “no outstanding issues” prior to the recent $196 million attack.

On March 16th, Michael Bentley, the CEO of Euler Labs, took to Twitter to describe the past few days as the “hardest days” of his life following the flash loan attack that took place on March 13th.

After one user shared information on Twitter about Euler Finance undergoing 10 audits from 6 different firms, the CEO retweeted it and added that their platform has always prioritized security. Between May 2021 and September 2022, several blockchain security firms, such as Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica, conducted smart contract audits on Euler Finance.

Halborn utilized a risk assessment approach that factored in the probability of a security incident and its potential impact, ranking the risk level from very low and informational to critical. Euler’s risk level was rated as “nothing higher than low risk.”

The Euler Finance hacker began transferring funds through the crypto mixer Tornado Cash only a few hours after Euler had launched a $1 million bounty for any information that could lead to the attacker’s arrest.

In a recent Twitter thread, CEO Michael Bentley expressed that he could never forgive the attacker, as the attack forced him to sacrifice time with his newborn son. However, he expressed gratitude towards the security experts who are currently working on leads for the investigation.

It should be noted that the attacker responsible for the Euler Finance exploit did not necessarily “hack” the protocol by breaking its code to gain unauthorized access but instead used a flash loan to manipulate its internal markets and drain its treasury.

In October 2022, a similar scheme was used to exploit the Solana-based protocol Mango Markets and drain its treasury. The individual behind this exploit, Avraham Eisenberg, was apprehended in Puerto Rico in late December.