In March 2023, Euler was on a tear, having more than doubled its TVL to ~$300M in just a few months. In addition, Euler had a reputation as a security-conscious project, putting into place all the best preventative security practices like multiple audits, a bug bounty and even a hack insurance plan.

This earned them a score of 95% from DeFiSafety in May 2022.

Despite all of this, Euler still got hacked. Because no matter how tall your stack of audits, no code is 100% bug-free.

As outlined in Michael Bentley's excellent retrospective, Euler took a unique posture in the immediate aftermath of the hack, keeping almost completely silent in their post-incident communication.

While this approach has some advantages and appears to have matched well with this particular hacker, it leaves a massive vacuum in the public forum.

Speculation flooded social channels, some of it fair but uninformed.

But much of it toxic rumors. One unfounded rumor - that the commit which opened the security flaw was unaudited - was parroted time after time in discord.

Euler was maxed out on preventative security measures, but under-indexed on reactive ones. When it comes to reactive measures, many projects have a completely empty toolbox, so kudos to Euler for at least securing a $10M insurance plan via Sherlock.

But this amount was a bit too small for their size; they should have created (and still should create) an emergency fund properly sized for their TVL. Emergency funds don't need to cover 100% of TVL, but can cover a surprisingly large percentage of users if a per user cap is set, like the FDIC's $250k.

Assuming a user deposit distribution skewed toward small depositors - the commonly observed shape for protocols of their size - Euler could likely have covered 95% of their users base at $10k cap per user with just an additional $10M of safety funds.

Additionally, they should have publicly posted their post-hack response plan, including the communication blackout policy, before the hack. Opinions may differ on the most effective post-hack communication strategy, but informing the community of your plan in advance will always be to your benefit in the chaos immediately after a hack.

Blocking out the bedlam on Twitter and Discord, the Euler team pushed forward with their investigation and pursuit of the hacker. After navigating a labyrinth of red-herrings and a minefield of sensitive communications, the team was able to coax the mercurial hacker to return more and more and eventually all of the funds.

Though the Euler team acquitted themselves admirably, they'd have to admit that they got lucky. This particular hacker (communicating under the pseudonym Jacob) got in over their head and decided to return the funds. That's great for the Euler team and community!

But counting on funds being returned is a terrible strategy. Our dataset shows that only ~30% of hacked projects are able to recover any funds from the hacker (or via law enforcement). And when they do, it's usually only a small fraction of the funds that were lost.

Since their recovery of the lost funds, Euler has made significant progress in recovering its position in DeFi as well. Euler methodically developed its v2 over the course of 2023 & 2024, launching in late 2024 to warm reception.

Per DeFiLlama, Euler v2 has now reached ~$130M in TVL, almost half Euler v1's peak, once again presenting a strong offering in the DeFi lending space.

Euler did everything right with their preventative security practices but got exploited anyway because no code is perfect.

That's why every DeFi project should create their a post-hack response plan now. Publish it so your users know what to expect and be sure to include a safety fund. Check out the Cozy Safety Module if you don't want to build your own on-chain safety fund.

Regardless, you probably shouldn't count on another hacker returning $197M.