defirisk.co
rubric v1.7.0

Euler Finance: Donation Function Bypassing Health Check (Logic Bug in EIP-14 upgrade)

An attacker used Euler's own leverage system and a donation function that skipped health checks to manufacture bad debt, then liquidated it at a discount — draining $197M from one of DeFi's most audited lending protocols.

Occurred 2023-03-13 Loss $197M Status closed

Summary #

Euler Finance suffered a Lending Protocol on 2023-03-13, resulting in a loss of approximately $197M.

What happened #

An attacker used Euler's own leverage system and a donation function that skipped health checks to manufacture bad debt, then liquidated it at a discount — draining $197M from one of DeFi's most audited lending protocols.

Linked factors #

  • RD-F-006 — related : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited** (by Sherlock) — but the health-check omission was missed. Sherlock accepted responsibility and paid out $4.5M.]
  • RD-F-077 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-081 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Partial** — An associated attacker address had previously exploited BSC-based EPMAX and deposited proceeds to Tornado Cash. This address his...]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N + detail): YES** — The attack involved taking flash loans and using Euler's leverage system to create extreme eToken/dToken positions in a single block...]
  • RD-F-146 — illustrative : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded (Y/N + detail): YES** — The vulnerability was introduced in EIP-14 (the `donateToReserves` function), deployed as an upgrade prior to the hack. Not in the o...]