The 2023-03-13 attack on Euler extracted the majority of funds held by the protocol and converted them into ETH and DAI. Much of this has been recovered. The following is a plan for how to distribute these funds to affected users. Other options have been identified. However, after careful consideration by the Euler Foundation, Euler Labs, and external advisors, the following has been chosen as the optimum approach. This plan may be modified as the calculations progress.
This proposal addresses the mechanism for redemption. Further discussion will be needed with regards to the use of insurance funds and the Euler treasury to supplement things.
- For each sub-account, Euler simulates the repayment of all liabilities at the block the protocol was disabled. The on-chain oracle price (either Uniswap or Chainlink, depending on the market) as defined in the smart contract at this time is used to determine the ETH value of the assets and liabilities, and each of the account’s assets (including non-collateral assets) is proportionally used to repay the liability, assuming no slippage.
- Self-collateralised positions are treated the same as other positions
- Staked ETokens are handled equivalently to their underlying ETokens
- The protocol reserves are not eligible for any redemption, and instead will be used to cover bad debt for dust accounts, and the remainder will be proportionally allocated to users
- Markets that have bad debt in excess of reserves (a few long-tail markets that suffered oracle attacks) will have the bad debt proportionally distributed amongst depositors in the market
- The previous step leaves each sub-account with a basket of various assets. The net asset value (NAV) of the account is computed by converting each item in the basket to ETH using a secure pricing method snapshot taken at a pre-announced future “redemption” block.
- A subaccount with negative NAV will be considered to have a NAV of 0.
- Each account’s NAV is computed by summing up the NAVs of each subaccount
- Remaining balances currently held by the Euler contract will be claimable by depositors as original tokens, proportional to their deposit amounts vs total market deposits.
- In case the remaining balances are larger than the sum of all deposits, each depositor will be able to claim the full deposited amount of tokens.
- The value of the claimed tokens (using Euler prices as described above) will be deducted from the account’s NAV prior to the simulated repay.
- All account NAVs will be summed to get the total NAV. Each account will be able to claim the recovered ETH, DAI, and USDC according to its proportion of the total NAV.
- In the event that at the time of the pre-announced redemption block the value of the recovered amounts exceeds the total NAV, the excess will be distributed proportionately to users.
A smart contract will be created that contains the funds due to all EOAs. This contract will have a root of a merkle tree embedded. In order to claim the redemption, an EOA will need to pass in two items:
- The claim information for the account along with a merkle proof of validity
- A signed message and agreement that confirms that the account holder agrees with the terms of the redemption, as stipulated by the Euler Foundation
Smart Contract Accounts
There are 141 affected smart contract accounts. Redemptions can not necessarily be sent directly to smart contract accounts. Furthermore, smart contracts can not sign messages authorising their claims.
For these reasons, smart contracts will have to be handled on a case-by-case basis. Representatives of the Euler Foundation will communicate with affected protocols and smart contract wallet holders for guidance given their particular situations.
- Wallet owners and/or representatives of protocols will need to authenticate themselves to the satisfaction of the Euler Foundation and agree to the terms of the redemption
Multi-sig wallets are a special sub-case of smart contract accounts. These wallets can be included in the merkle-based distribution contract (or a separate contract), however they will need to use a transaction in order to agree to the terms of the redemption. The contract may use the EIP-1271 standard to implement this.
Recovered funds include all those returned to the Euler DAO Treasury address following negotiations, totaling 95,556.36059211764 ETH and 43,063,729.35 DAI. Unrecovered funds at this point include funds with potential sanctions issues sent by the attacker to Tornado Cash, totaling 1,100 ETH and those sent to an address owned by the Ronin attacker, totalling 100 ETH. Another 100 ETH were returned by the attacker directly to a user, who in turn returned 12 ETH to the Euler DAO Treasury (included above). The DAO Treasury address also holds 3,396,964 USDC and 1,007,321 DAI from Sherlock protocol insurance payouts.
The goal is to let users redeem funds as soon as possible. For EOAs and multi-sig wallets, the following needs to happen:
- Method for computing calculations needs to be analysed and assessed for fairness and practicality
- Distribution contract needs to be developed and audited
- Users need to be given sufficient time to assess their redemption status and read the terms of redemption, as well as advance notice of the redemption block number