Author: Zack Abrams, Compiled by Coinage
“I was trying to decide if it was a good idea to keep $20 million in my own hands…because that’s what Euler offered me. I wasn’t ready, I lacked experience, and I was a newcomer…I didn’t sleep for days, for weeks, but eventually, I knew I had to give it back, I knew I didn’t want to cause any harm to Euler’s user base.”
On March 13, 2023, in just 18 minutes, a hacker stole nearly $200 million worth of cryptocurrency from a popular lending platform – Euler Finance – making it the largest theft of the year. Just three weeks later, he reversed the transaction and returned everything he had stolen.
- DeFi leader Compound doubled in a week – what happened behind the scenes?
- Recent Development of DEX in Data Analysis
- Introduction to Creatorfi, a Blue Ocean Track, and sharing of potential projects
Since the hack, the person responsible for the operation has come forward to explain his perspective on the event and claims he never intended to keep the money in the first place.
Coinage spoke with the self-proclaimed hacker, a young Argentine man named Federico Jaime, a claim supported by other
For the next two days, Federico couldn’t sleep. When he finally woke up in an Italian hospital bed, he was $200 million richer, but felt like a curse had been burned onto his back.
Image source: Instagram @federicojaimeok
The world of cryptocurrency relies on transparency. Every transaction – from sending money to a friend, buying an NFT, taking out a loan – is public, and transactions are irreversible. Applications running on blockchains (called smart contracts) are also public; anyone can inspect the code for themselves.
With the surge in interest in cryptocurrencies over the past few years, the entire decentralized finance (DeFi) industry has emerged, allowing cryptocurrency investors to exchange tokens, obtain loans, leverage bets on price changes, and earn interest. Currently, about $45 billion in cryptocurrency is committed to DeFi protocols; in the fall of 2021, this number exceeded $175 billion, roughly equivalent to the total amount of deposits held by JPMorgan Chase.
DeFi offers exciting financial innovations for cryptocurrency enthusiasts, in line with the rapid growth and loose regulation of the cryptocurrency space. If you want to borrow $200 million without collateral, or speculate on “meme” cryptocurrencies like DOGE and PEPE, DeFi is the only way to go.
Meanwhile, hackers see DeFi as a variety of digital bank vaults, each with a public blueprint (open-source code) that is effectively an invitation to try to rob them. According to data from cryptocurrency research firm Chainaanalysis, DeFi protocols have become the primary target of cryptocurrency hackers, who stole $2.2 billion from DeFi in 2021 and $3.1 billion in 2022, accounting for over 80% of the total amount of stolen cryptocurrency that year.
So far, the most successful cryptocurrency hacker has been the Lazarus Group, which stole $1.7 billion in 2022, of which $1.1 billion came from DeFi vulnerabilities.
In the face of endless attacks, DeFi protocols’ countermeasures are to recruit security companies to audit smart contracts, monitor threats, and even lure white hat hackers (hackers who flag vulnerabilities for rewards rather than exploit them, as opposed to black hat hackers) to steal vulnerabilities for themselves. Even DeFi protocols that have undergone strict audits and taken all precautions may still fall victim to powerful hacker attacks, and sometimes the attacker is just a 19-year-old kid with God on his side.
Image source: Instagram @federicojaimeok
All of this can be stopped with a single line of code.
Back at the hotel, as the sun rose over Rome, Federico began researching Euler Finance, a DeFi lending protocol developed by a London-based startup called Euler Labs. Euler allows its users to take out loans up to ten times the value of the collateral they deposit; put in $10,000 and you can trade like you have $100,000. But cryptocurrency is volatile, and if the price moves against you, your deposit may not be enough to ensure redemption of your collateral. That’s why the platform checks the health of a user’s account every time they interact with Euler, and triggers an automatic liquidation if the health score falls too low.
But Federico saw something that wasn’t there: a single function in a single Euler smart contract lacking a health check. In just a few hours of research, Federico found something that Euler’s team and several independent smart contract auditors had missed.
“It was simply divine inspiration. It was simply waking up my muse,” Federico says. “And after almost a month looking for what I was looking for… I found it.”
Federico began plotting his attack. After two days of non-stop programming, he was almost ready to execute. The only problem was: he didn’t know how to deploy the smart contract, or how much it would cost.
“I Googled, ‘how much does it cost to deploy a smart contract?’ And I found… articles saying, ‘Anywhere from $5,000 to $50,000,'” Federico says, raising his voice in incredulity. “WTF.”
But Federico pressed ahead, eventually learning that the actual cost of deploying the contract would be much lower. By now, several days had passed since he last slept, and Federico tells me he wasn’t even thinking about the money. “I thought it was an experiment. Just an experiment,” he explains. “I wasn’t sure if it was going to work… I wasn’t sure if I could deploy the smart contract. My doubts were more than my certainties.”
“So I really underestimated this vulnerability and myself, because it ultimately worked,” he added.
On the morning of March 13, 2023, at 9:54 am Italian time, Federico sat in front of his computer. In 18 minutes, he used three wallets to launch an attack on Euler Finance and stole $197 million worth of cryptocurrency from the protocol. The funds eventually all ended up in one wallet – a virtual suitcase filled with stacks of hundred-dollar bills.
“First of all, I thought, this is so exciting. I’ve hacked a huge protocol, and then I thought, wow, $200 million. This is the curse on my back.”
Federico still couldn’t fall asleep, so he had the hotel concierge call an ambulance.
Image source: Instagram @federicojaimeok
The first person to notice the anomaly was a bot, with some crypto security companies providing real-time threat monitoring and alerts for DeFi projects. In the Euler hack, at least two security firms, Forta and Hypernative, received alerts before the attack began.
Unfortunately, for Euler Labs, which declined to comment on this article, the automated alerts were only issued a few minutes before the attack began, and it was too early to protect the protocol for the London-based startup. (“We typically predict the timing of an attack to be between one minute and one hour,” said Alex Behrens, Forta’s marketing manager.)
On Monday, March 11th, at 8:59 a.m. UK time, blockchain security company PeckShield posted on social media “Hi @eulerfinance: You might want to take a look,” linking to a page that showed a wallet had attacked Euler’s DAI stablecoin supply, stealing over $8.7 million.
Then, everyone watched as Euler was hit time and time again. Hackers stole $18.5 million worth of WBTC, then $116 million worth of stETH… Eventually, the hacker made a profit of $197 million, and Euler’s entire reserve of six tokens was wiped out.
At 9:56 a.m., Euler quoted PeckShield’s message on social media, saying: “We know our team is currently working with security professionals and law enforcement. We will release as soon as we have further information.”
As it is a cryptocurrency, everyone can see the funds in the hacker’s wallet. By looking at the wallet’s transactions, security experts were able to reverse-engineer the attack and eventually discover the single vulnerability that led to the theft. But, because it is a cryptocurrency, Euler’s team could not associate the wallet with real-life identities or understand the hacker’s intentions.
On March 13, the hacker’s final move was to send 100 ETH (valued at $168,000 at the time) through Tornado Cash, a “mixing” transaction protocol on Ethereum that makes funds more difficult to trace. The wallet address then went silent.
At 10:47 p.m. that night, Euler’s team sent a message to the hacker’s wallet, stating, “We understand that you are responsible for the attack on the Euler platform this morning. We are writing to ask if you would be willing to discuss any possible follow-up steps with us.” The attempted communication marked the beginning of a difficult three weeks for Euler’s team.
The next night at 9:22 p.m., Euler’s team sent another message to the hacker’s wallet proposing that 90% of the stolen funds be returned within 24 hours—allowing the hacker to keep a bug bounty of $20 million in effect. Otherwise, Euler would offer a $1 million reward to anyone who provided information that led to the hacker’s arrest.
The hacker did not respond.
On March 15 at 11:20 a.m., Euler’s team sent another message to the hacker’s wallet, reiterating the bug bounty proposal. “Then the investigation can stop, and the focus can shift to distributing it back to the protocol users without going through legal channels,” Euler’s team wrote.
That night at 10:06 p.m., with the hacker still silent, Euler’s team announced a $1 million reward for information that led to the hacker’s arrest and the recovery of the funds. The following day, Euler co-founder and CEO Dr. Michael Bentley shared his response to the attack, calling the past few days the hardest of his life and expressing his sorrow for the affected users.
“I had to sacrifice time with my newborn son,” Bentley wrote on Twitter. “I will never forgive the attacker, but they can make it right and return the funds to the EulerDAO Treasury as soon as possible.”
Photo credit: Instagram @federicojaimeok
Federico Jaime claimed he never intended to keep the money. “I knew from the beginning that $200 million is not a small number, it would cause huge damage to the DeFi community, and that was not my goal at all.”
We all want to know, even if it’s just for a moment, if Federico ever thought about what $200 million could buy, if he ever imagined himself living in a mansion? On a yacht? “Never, not at all, because I’m an entrepreneur. I can legally and perfectly make money, I don’t need to steal, I have no reason to take other people’s money.”
For most people, such comments would at best elicit an eye roll. After all, the crypto community is not known for its humility. But I’ve seen photos of Federico touring Europe, staying at five-star hotels, and wearing designer streetwear. In a conversation we had over the phone and occasional texts, I asked Federico, who just turned 20 in June, how he sustains his lifestyle.
Federico grew up in Buenos Aires with his parents and sister. Inspired by his father, a software engineer, he learned to code at 12 and sold his first program — a plugin for the video game Minecraft — for $10,000 when he was 14. “It meant freedom, because I no longer had to ask my parents for money, they applauded me.”
As he grew older, Federico turned to a new game, Grand Theft Auto V, and developed an anti-cheat system for the custom multiplayer game servers he ran for fans of the game. “I found a memory read error. I saw that we could profit from it.” Federico said, adding that the software, FiveGuard, is now owned by someone else. “It’s special because when you enter a game server with some unfair advantage, you get banned instantly.”
Federico had originally planned to attend law school in Argentina, but after graduating in 2020 and dealing with the pandemic (there were many restrictions and a long quarantine period in Buenos Aires), Federico, with his parents’ permission, decided to take a long break before going to university.
In early October of last year, Federico traveled to Rome. In December of last year, he reportedly targeted Buenbit, a cryptocurrency exchange operating in Argentina, Mexico, and Peru, and stole hundreds of thousands of dollars. Federico Ogue, the CEO of Buenbit, characterized the attack as fraud. News reports citing sources familiar with the matter said the losses from the attack were $800,000, but Federico denied that figure.
Federico declined to comment on the specifics of the case, and while he admitted his target was Buenbit, he also claimed that many of the more sensational details in media reports were either misleading or entirely fabricated. The 20-year-old man insisted he was innocent in the case and pointed out that he and his lawyer were in contact with Buenbit’s team, and he hoped the matter would be resolved soon.
And just a few months later, Federico had a new concern, this time for two hundred million.
Source: Instagram @federicojaimeok
At the time of the attack, Euler Finance had as many as 7,000 users. Two days later, on March 15th, one victim decided to send a message to the hacker’s wallet (Federico’s wallet).
“Please consider returning 90%/80%. I’m not a whale or a millionaire, I’m a user with 78 wstETH as my life savings deposited into Euler,” wrote Santiago Avalos, a blockchain developer from Argentina. “You can’t imagine the chaos I’m in right now, completely devastated… Your decision will make a lot of affected people breathe easier.”
Avalos’ life savings of 78 wstETH were worth over $140,000 at the time. Thirteen hours after Avalos sent the message, Federico responded, but not via text. Instead, he took action for the first time since the hacker attack three days earlier and sent 100 ETH to Avalos, worth about $27,000 more than what the victim lost in the Euler collapse. Avalos returned the excess funds to Euler, saying, “I believe he may have been moved by my message.”
“This was my genuine gesture,” Federico said when talking about his motivation for returning the funds. “I was very generous at the time. Also, I later found out that this person… is also Argentinean and a Solidity developer,” he added. “It was indeed a very interesting coincidence.”
Federico has not completed the transfer of funds. He has also sent 1,100 ETH to himself twice using Tornado Cash, bringing his profit to nearly $2 million. When I asked him why, Federico told me: “I didn’t think much about it. I thought that if they offered me a 10% reward, it would be too much for me. I would try to take 1% of it.”
His next move was the most confusing yet. Before 5 a.m. on March 17th, Federico sent another 100 ETH, this time to a notorious wallet that carried out one of the largest cryptocurrency hacks in history almost a year ago – stealing over $600 million from Ronin Bridge. Just a month later, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) officially linked the Ronin Bridge vulnerability to the Lazarus Group.
However, when I asked him about it, his explanation shocked me. “I had no idea it was North Korea. I never doubted it,” he began. “The reason I sent 100 ETH to the Ronin exploiters was purely out of admiration… I wanted to express my admiration from white hat hackers to black hat hackers.”
I was stunned, and Federico could tell. “I know you didn’t expect me to say that, but it’s the truth,” he replied. “I think it’s the most important area in the world today, and the Ronin hack was an engineering act. In that sense, it’s admirable… The devil can also be a beautiful woman.”
The next day, Federico began to return the funds, initially in three installments of 1,000 ETH each, totaling about $5.4 million. Then, his wallet fell dormant again. Analysts were skeptical at the time whether Euler would be able to recover the remaining funds.
But two days later, on March 20th, Federico sent his first message to the Euler team: “We want to make it easy for everyone affected to deal with. We don’t want to keep anything that doesn’t belong to us. Set up secure communication. Let’s reach an agreement.”
Federico told me that he decided to come forward not for his own benefit, but for the benefit of the DeFi community. “I want to encourage ethical hacking behavior, and that’s the main reason, I want to be able to speak up and tell people to do the right thing.”
Federico also hopes that the negotiation strategy between Euler and the attacker will set a precedent for other parts of DeFi. “I am convinced that the hacker scene in the decentralized finance field will be different after the Euler hacking incident. I think this shows the importance of audits to the world, as well as the importance of negotiation after a hack.”
Erin Plante, vice president of investigations at Chainalysis, said, “However, not everyone in the cryptocurrency industry is enthusiastic about bug bounties and hacker negotiations becoming the norm. Most DeFi hackers do not receive rewards of $100,000 or $500,000 from legitimate bug bounties, but often demand 50% or more of the stolen funds as commissions, which is more like extortion.”
Plante also pointed out that as law enforcement agencies get better at tracking illegal cryptocurrency, hackers are finding it harder to cash in on their rewards. She said, “In this case, coupled with the collective decline in bounties across the industry, the incentives for hackers to engage in this work are expected to change.”
Federico repeatedly insisted to me that his plan was to return the funds from the beginning. So why did it take him three weeks?
“I wanted time to protect myself and find a safe way to do it, both legally and in other ways,” he said.
Of course, some of Federico’s claims cannot be verified. Federico told me that the design and execution of the protocol was entirely his own work (“I did all of this myself”), although he occasionally received advice from a colleague, such as a list of DeFi protocols to research (more like a cover-up of others’ involvement, as it is impossible to determine from the chain data we have who wrote the code).
We will also never know if Federico would have kept the money if he had planned the attack better. He admitted to me that he regretted not considering the consequences, but said he did it just to do the right thing. “I just didn’t plan well enough, and the amount was too big for me to handle,” he said.
Federico expressed regret to me about the pain he caused to the Euler team. “My heart was broken when I saw Michael Bentley’s tweet saying he had to sacrifice time with his family,” he said. When I asked him if he was worried about the impact of the attack on the future, he denied the concern. “I believe legally, Euler team won’t come after me because it would prevent future hackers from returning funds.”
Euler Finance started compensating attack victims from April 12, which made the victims happy (and almost unbelievable). The impact of the vulnerability has spread to 11 other DeFi protocols. One of them (Yield Protocol) did not recover until June 27. Since the hacker attack, Euler Finance has been paralyzed.
Federico is still in Europe, describing his personal situation as “complicated,” but saying he hopes to return to Buenos Aires soon to continue his studies. “My life hasn’t been as easy since the Euler hack, which has put pressure on me,” he said.
I asked Federico if he thought God seemed to be responding to his prayers by giving him a lesson. “I think either he’s playing games with me or he’s (testing) me,” he replied.
Federico has not yet made up his mind.