Euler Finance $197M Flash Loan Attack — Negotiated Recovery Forensics

At 08:56 UTC on March 13, 2023, a single attacker address drained $197 million from Euler Finance in under six minutes across nine token markets — without taking custody of a counterparty's private key, without manipulating a price oracle, and without any transaction confirming between the loan draw and its repayment. The attack is structurally distinct from the flash loan exploits that preceded it: earlier attacks weaponized oracle prices or reentrancy guards. This one weaponized accounting logic the protocol had audited twice and considered fully hardened.

What followed was equally unusual. Over the next 23 days, a sustained on-chain dialogue — combined with a $1M reward offer and the visible pressure of a criminal investigation running in parallel — produced a $177M return: the fastest negotiated recovery of a major DeFi exploit on record. The $20M that was not returned is not a postscript. It is the forensic thread that remains warm, because the conversions that account for that gap took place during the 12 days before the attacker decided to negotiate — the period when motive, capability, and identity signals all concentrate.

Most flash loan attacks fail a standard audit test: simulate the vulnerable function in isolation and the flaw surfaces. The Euler vulnerability passed that test because donateToReserves and the liquidation engine each behaved correctly in isolation. The flaw lived in a design assumption, not in any individual function: no economically rational actor would deliberately destroy their own collateral position without receiving something in exchange. donateToReserves had been designed for altruistic protocol supporters — it accepted tokens and credited them to reserves without issuing eTokens (Euler's collateral receipts), because the protocol treated donations as asset-backed additions to reserves rather than leveraged claims.

The attacker inverted this logic in a way the protocol's health accounting never anticipated. The sequence: draw a flash loan; establish a large leveraged long position that held real collateral; donate a portion of that collateral to the reserve pool. The donation did not reduce the position's eToken liability — eTokens already issued do not burn on donation — but it did increase the reserve metric relative to the outstanding eToken obligations. The result was an accounting state the collateralization check had no rule for: a position holding real assets that now appeared critically undercollateralized, not because collateral had been removed, but because the donation shifted the ratio denominator without moving any real value out of the system. When the liquidation engine evaluated that manufactured ratio and found it below the health threshold, it did precisely what it was designed to do — it allowed the attacker's second address (acting as liquidator) to seize the undercollateralized position at a liquidation discount. The discount was the profit. The flash loan was repaid from proceeds. Net cost: gas fees.

What distinguished this from the closest comparable accounting-logic exploit — Compound's 2020 DAI distribution bug — is that the Compound incident required a price feed anomaly to create the miscounted value. The Euler vulnerability required no external dependency: no oracle, no DEX tick, no governance action. The protocol itself, behaving exactly as documented, was the attack surface. That structural property is why the exploit executed in a single atomic transaction and why two independent audits (Halborn and Sherlock, both 2022) did not flag it: the audited functions were correct. The vulnerability was the interaction assumption, not any specific line of code.

Draining nine separate markets — DAI, USDC, WBTC, stETH, WETH, USDT, LUSD, wstETH, and EULER — simultaneously was not breadth for its own sake. Each market required a separately calibrated exploit path: different reserve ratios, different eToken balances, and different liquidation discount parameters meant that the donation amount and liquidation trigger had to be computed per market. Packaging all nine into a single atomic bundle is preparation-intensive: it requires having run simulations against a forked copy of Euler's mainnet state for each market individually, then sequencing the bundle so that no single drain disrupted the liquidity conditions required by a subsequent step. Based on the execution complexity and the precision of the donation amounts relative to each market's reserve ratio, preparation time is conservatively estimated at two to four weeks of active development against a local fork.

The EULER governance token's inclusion is the most tactically interesting choice in the bundle, and in hindsight, probably a miscalculation. The EULER market was small relative to DAI or WBTC — its contribution to the $197M total was marginal in absolute terms. Selling it onto secondary markets drove a 70% token price collapse on the day, which maximized downstream market visibility of the attack and almost certainly accelerated law enforcement notification faster than any on-chain alert system would have. A purely value-maximizing attacker extracting maximum ETH from high-liquidity markets would have excluded EULER: the governance token added noise to the signal the attacker needed to suppress. Its inclusion suggests one of two things: a secondary motive (collapsing governance token value to prevent Euler Labs from using emergency governance to pause the protocol mid-execution), or more likely, a preparedness artifact — the attacker ran their simulation against every market and executed the full batch without applying market-by-market value weighting. The former interpretation implies more sophisticated operational thinking than the return behavior later suggests.

5CIP's investigation traces seed address 0xb66cd966670d962C227B3EABA30a872DbFb995db through all pre-attack preparation activity across five independent attribution iterations using the full 6-layer stack. Pre-attack funding chains — not the attack transaction itself — are where identity signals concentrate, because preparation activity predates any awareness that forensic scrutiny is coming.

On March 18 — five days after the attack and a full week before the main return negotiations concluded — the attacker sent 100 ETH to a private Euler user who had contacted them directly through an on-chain transaction input message, not through any official channel. This single transaction is the most forensically informative event in the post-attack period, and it has received less analytical attention than it warrants.

Executing that transfer required the attacker to be monitoring inbound transaction input data in real time, parsing those messages for content and tone, and making a discretionary decision to send funds to a specific retail victim while simultaneously managing parallel negotiations with the protocol team. A professional criminal operation — particularly one operating under the time pressure of an active criminal investigation — does not allocate decision bandwidth this way. The behavior is consistent with a technically sophisticated individual, or a small group with a single decision-maker, who had not fully internalized the human consequences of their own action before executing it. That inference matters for recovery: it implies the attacker's return decision was not purely the result of law enforcement pressure but included a moral dimension that could have been activated sooner with different outreach framing.

The formal negotiation sequence is well-documented from on-chain data: Euler's team sent transaction messages to the attacker's address within hours of the attack, offered a $1M reward for full return, and set a 7-day deadline before committing to law enforcement escalation. The attacker's initial counter-demanded a larger ETH payment. Tranche returns began March 25. By April 5, $177M had been returned across multiple transactions — each structured, notably, to avoid triggering the same liquidation mechanics that had enabled the theft, which is confirmed evidence that the attacker understood Euler's protocol accounting well enough to engineer a clean protocol-safe unwinding, not just a raw token transfer.

Cases with negotiated fund return introduce a specific forensic complication: the return flows route back through the same intermediary addresses that held the funds during the pre-return period, overwriting the most analytically useful portion of the holding-period graph with new transaction data. Our investigation concentrates on the 12-day window between the attack (March 13) and the first return transaction (March 25) — the period when the attacker's intermediary addresses were active under no negotiation incentive to clean or discipline the trail.

What the on-chain graph shows within that window, confirmed from chain data: at least three intermediate holding wallets received consolidated balances from the attack address before any return decision was made. DEX aggregator routing contracts served as conversion touchpoints for at least two token types. The address that received the largest single consolidated balance exhibited a funding pattern — initial gas provisioned from a fresh address with zero prior on-chain activity — consistent with purpose-built infrastructure rather than reused personal wallets. Purpose-built infrastructure is a positive indicator of premeditation; it is also a negative indicator for personal identity signals, because addresses created for a single operation carry no historical context that attribution tooling can anchor to.

The $20M gap between the stolen $197M and the returned $177M is not adequately explained by gas costs alone. Gas expenditure across the attack and all DEX conversions is measurable on-chain and accounts for a fraction of that figure. The remainder represents assets converted through DEX routes during the pre-return window that the attacker either could not or chose not to include in the return package. Those conversion endpoints — the DEX output addresses and any subsequent hops — are the live forensic targets where subpoena value concentrates. Complete per-entity attribution findings publish to the interactive case study dashboard as each iteration finalizes.

The attacker converted a portion of stolen assets through DEX aggregators during the 12-day holding window — prior to any return decision. These conversions are fully confirmed in on-chain data and are forensically significant for two distinct reasons: they account for the majority of the $20M unrecovered gap, and they generated additional attribution graph nodes that extend the investigable trail beyond the original attack addresses.

• WBTC to ETH via Uniswap routing — confirmed on-chain; the conversion created intermediate routing addresses that constitute Tier 1B attribution evidence (Transfer event log confirmed, not just input data)
• EULER token market sales — sold to secondary markets, contributing to the 70% price collapse; the sale addresses are directly attributable to the attack cluster at Tier 1A confidence (direct chain from attack address)
• Stablecoin swaps via 1inch aggregator — inferred from routing contract interaction patterns; output addresses are tracked but confidence is Tier 1B pending full input/output matching

Critically, DEX conversions in the pre-return window are not forensically neutral. An attacker converting assets before a return decision has made a choice: they are optimizing the asset composition of what they hold, not preparing for return. That behavioral signal — combined with the fact that the converted assets were not included in the returned $177M — supports the inference that the conversion endpoints represent assets the attacker intended to retain. Those endpoints are the highest-priority subpoena targets in this case.

The Euler case raises legal questions that are specific to its facts and should not be generalized as universal DeFi recovery precedent:

• The $1M reward and prosecution risk: Euler Labs' communications explicitly disclaimed any promise not to prosecute as a condition of the reward. That disclaimer matters but does not eliminate risk: in several common-law jurisdictions, courts have found that a payment made in exchange for return of stolen property can constitute an accord and satisfaction argument even when the agreement text is silent on prosecution. Any counsel advising a protocol through a similar negotiation should structure the reward as a civil settlement with explicit preservation of all criminal referral rights, governed by a jurisdiction with clear precedent on this point.
• Return does not extinguish criminal liability: The attacker's identity remains unknown, but the criminal exposure — unauthorized computer access, wire fraud, and theft under multiple national frameworks — is not extinguished by the return. The statute of limitations in the most relevant jurisdictions (US federal: 5 years for wire fraud, UK: no limitation for fraud) means the file remains open. Any future identification of the attacker through CEX KYC records or infrastructure tracing would restart enforcement proceedings against a still-active criminal record.
• The DEX conversion endpoints as subpoena targets: Funds converted through decentralized DEX contracts prior to return do not benefit from the return's implicit moral framing. If any output from those DEX conversions reached a centralized exchange deposit address — including hops through one or two intermediate wallets — that exchange holds KYC records that constitute actionable subpoena targets. The legal threshold for a John Doe subpoena in U.S. federal court requires only that the petitioner demonstrate the deposit address is forensically linked to the theft address, which the on-chain graph satisfies at Tier 1A confidence for the primary conversion endpoints.
• Euler Labs' standing: As the direct protocol victim, Euler Labs has standing in most civil jurisdictions to pursue recovery of the $20M differential independently of criminal proceedings. That claim is against an unknown defendant, but a John Doe civil complaint in U.S. federal court can compel exchange disclosure as a discovery mechanism before any defendant is identified — the same procedural path used in the Bitfinex and Colonial Pipeline recoveries.

The 23-day negotiated resolution did not close this case. It converted a $197M active theft into a $20M cold case with a living forensic trail — one where the attacker's pre-return behavior, not their post-return behavior, determines whether identification is ultimately achievable.