Angle Protocol and Euler
Angle Protocol relies on various modules for agEUR. The Core Module, responsible for the majority of agEUR issuance, is a complex system involving multiple stakeholders and yield strategies. Up until now, the protocol invested a portion of the collateral reserves backing the stablecoin in different yield strategies to generate returns.
Traditionally, Angle relied on a strategy investing in Compound or Aave for its USDC and DAI reserves. In June, it was voted to add support for Euler for the DAI reserves of the protocol. This meant that in some cases, the DAI holdings of the protocol could be invested on Euler if it was yielding more than Compound and Aave. At some points, the protocol had more than 3 million DAI on Euler.
In January, another vote led to the addition of support for Euler for the USDC reserves of the protocol. This was part of a larger overhaul as the yield strategy was changed to support depositing into Aave, Compound and Euler at once. The new strategy was built to permissionlessly optimize the allocation of funds across these different venues to maximize the protocol'srevenue on its reserves. More details on the new strategy are shown here.
Another way with which Angle can create agEUR is through its direct deposit modules, which allow the protocol to mint agEUR in some places like Aave and Curve with no immediate collateral available.
As part of its direct deposit modules and following several governance votes held in June 2022, Angle had minted agEUR to be lent on Euler. Some of these agEUR were also lent on Euler through Idle.
Euler hack timeline
On Friday the 10th of March, the protocol had most of its holdings on Compound and 5m USDC lent on Euler. Yet, an opportunity for the protocol to earn more revenue was spotted, and the strategy handling the USDC of the protocol was permissionlessly harvested which moved 12m USDC from Compound to Euler, leading the protocol’s position on Euler to grow to17.6m USDC.
As of the 10th of March, the protocol had also minted 3.6m agEUR as part of its direct deposit modules, but it had no DAI or FRAX on the platform.
During the 11th and 12th of March, the protocol lost some TVL due to the USDC depeg event. Funds released for users burning agEUR or Standard Liquidity Providers withdrawing their liquidity were automatically taken from the USDC that were invested on Compound, as it was the lowest yielding platform to which the protocol was exposed. As TVL decreased over the weekend, the share of the funds of the protocol invested on Euler grew at the same time to approximately 47% (31.5% before the depeg) of the TVL of the Core module.
— The Euler hack began at 9:56 am CET on March 13th.
— At 10:20, Angle Labs noticed the hack thanks to a Peckshield alert.
The Angle Protocol has a 2/3 emergency multisig, called the Guardian, with the ability to rapidly pause some functionalities of the protocol or to change parameters in response to unforeseen events. At this point, right after the hack, it was obvious that doing nothing would put the protocol in a bank run situation leaving the last stakeholders of the protocol with nothing left. The Guardian multisig thus immediately started the transactions to pause the protocol.
At the same time, given the impact and the potential losses at stake, the governance multisig was involved to pull the agEUR from the Euler AMO.
— At 10:42, a withdrawal transaction for 3,350,000 agEUR was confirmed. At this point, there was still some Protocol-owned liquidity on Euler via Idle, and Euler had not yet been paused. Other depositors with borrowing power on Euler (such as USDC depositors) could have borrowed agEUR from other lenders. It was therefore decided to burn the remaining agEUR on the Euler contract to prevent such exploits. The idea was that these tokens could potentially be minted again at a later point in time.
— At 11:03, the first pause transactions occurred on the Core module. By 12:52, the protocol's Core module had fully paused, and the debt ceilings of the Borrowing module were set to 0 on Ethereum.
To minimize potential losses, the governor multisig began to wind downother direct deposit modules of the protocol. This was done by pulling liquidity wherever possible, such as on Atlendis, where the protocol had lent 1m agEUR.
— By 3:30 pm, all available AMO had been wound down, and agEUR liquidity had been pulled from everywhere except from Aave V3 where lent agEUR was fully utilized. As a result, the protocol became entirely frozen and, technically, could have been liquidated. This left no room for insiders to take advantage of the situation and front-run others by removing leftover liquidity.
— At 3:56 pm, we published a tweet with Angle Labs to acknowledge the situation and transparently inform everyone about the amounts involved. Then, at 8:14 pm, we created a public Q&A page to keep everyone updated about the situation.
From then on, our priority was to transparently provide a more detailed state of the protocol, including all holdings of the DAO. This was to allow everyone, even those without technical expertise, to assess what was missing.— By the end of March 13th, agEUR had logically started to depeg. On March 14th, due to the bridge limit, agEUR was not priced the same on all chains.
— Due to the drying up of liquidity, the guardian multisig removed the agEUR bridge limit to mainnet on March 14th. This allowed users to bridge to Ethereum, where agEUR was more liquid, and prevented them from being arbitraged by MEV bots that front-ran users every time bridge limits were reset.
— On the 14th, we also began collaborating with authorities to provide all possible assistance in investigating the hack and recovering the funds.
— Early on the 15th of March, we released the detailed overview of the protocol’s holdings, based on information publicly available on-chain.
From then on, evolution of the situation for Angle became dependent on the evolutions of the Euler side, as everything that could be done on the Angle Protocol side had already been done.— Fortunately, things quickly started to take a favorable turn. On March 25th, the hacker began repaying funds to the Euler DAO. By April 4th, all stolen funds had been returned to the Euler DAO.
— Right now, the funds are currently on an Euler multisig, and discussions are taking place on Euler governance forum as per how the routed funds need to be routed back to affected users. The most probable outcome as it stands is that the protocol should receive enough to make all the stakeholders of the Core module whole (and get its surplus back on top of that).
Angle DAO discussions & vote
Soon after the hack and before the first repayments, discussions began on the Angle Discord and governance forum about how to respond to the incident. Much of the conversation focused on identifying which protocol stakeholders should be considered repaid back first.
This led to a vote about whether agEUR holders should be considered senior in the Angle Core module in case of a loss that is not automatically handled by the smart contracts. This vote ended on the 4th of April, and veANGLE holders supported the seniority of agEUR holders.
This vote was meant as a general purpose vote on the Core Module, yet it also provides some guidance on how to move forward with the current situation.
Having agEUR as senior within the Core Module means that its peg could be fully restored, even when funds from Euler have not yet been received. As it stands, the protocol currently has sufficient reserves to handle agEUR's holders claims on the collateral.
Some lessons on the hack
The final outcome of the hack may in the end be more favorable than initially expected. Even though there remain some uncertainties with the practical redistribution of funds by Euler, it is already time to start drawing some lessons from it and thinking about the future of Angle.
The thoughts expressed here only reflects the views of Angle Labs. Anysuggestions put forth would need to be discussed and voted on further by the DAO.
The Euler hack had a significant impact on Angle, even though the eventual loss should be null. It's crucial to emphasize that the Angle Protocol itself was not hacked, and all the protocol smart contracts functioned as intended.
There is an opportunity to improve risk management at the protocol level. For instance, the employed strategy that lent to Euler aimed to optimize revenue by investing in protocols deemed equally risky.
In the future, if such strategies were to continue, the protocol could distribute its holdings more evenly amongst platforms, and avoid concentrating too much in a single one. It could also ensure that a far less significant part of agEUR’s backing is invested in other protocols. This approach would reduce the severity of the impact in case of a hack.
On top of that, while information about the Euler’s exposure of the protocol was transparently displayed to everyone in the analytics, it was not clear to everyone that the protocol could lend USDC and DAI on Euler. Further improving the display of the composability risks associated to the protocol is definitely an important point to have in mind for future iterations.
Emergency multisig signers could have also been faster to fully pause the protocol. Specifically, having prepared payloads to pause the protocol would have allowed to pause everything more rapidly. While this didn't have an impact in hindsight, it's an essential safety precaution to consider for the future.
Suggestions for the protocol’s future
The current situation with the paused Core Module presents a valuable opportunity to address technical debt and build a more resilient, robust and scalable system.
The weekend before the Euler hack had already revealed some of the limitations of the Core Module. Because of the rapid USDC price decrease, most of the hedging agents got liquidated which left the protocol badly hedged, and at the same time, people came to redeem agEUR for USDC with USDC at a very cheap value (at around $0.9). This led to a non negligible decrease in the protocol surplus.
In the absence of sufficient hedging mechanisms in the Core Module, the protocol could not resist such events or handle unfavorable USD/EUR price variations. Not only does the protocol need a better system to ensure agEUR price stability, it also needs a system that is more resilient and scalable.
It is also important to note that during and after the Euler hack, as well as during the USDC depeg, the Borrowing module functioned as expected. Borrowers repaid their debts at a lower agEUR price, and liquidations continued to function properly without any bad debt accruing. Similarly, the Curve direct deposit module of the protocol was safely wound down, even allowing the protocol to make a profit from the liquidity removal operation.
<aside> 💬 With this in mind, we have opened a discussion on Angle Governance Forum on safely reopening the protocol post-hack while repayments are pending and refining Angle Core module design.
</aside>
We encourage everyone to jump in and express their voice in the current discussions. By reflecting on our experiences and working together, we can build a stronger, more secure future for Angle Protocol.
I lost $600K investing in a dubious crypto investment company and I lost everything. My name is Linda Boris, a real estate investor from North Dakota, I had invested in crypto last year and was hoping to make double my investment by the start of this new year until I realized I was being conned. It was devastating for me and my family, and if not for the intervention of Morphohack Cybersecurity Service, I wouldn’t have recovered my funds. Morphohack is a top-notch cryptocurrency and data recovery company, that help its clients to retrieve crypto assets from hackers and fake investment brokers, I’m grateful for their service in helping me recover my $600k worth of crypto funds and I highly recommend their services, they can be trusted and are very reliable with a 100% success rate. E-Mail: MORPHOHACK@cyberservices.com Whats-App: (+1 2 1 3. 6 7 2. 4 0 9 2) Web-Site: MORPHOHACK. wixsite. com/cyber
⬛️ FUNDS RETRIEVAL PANEL - The Leading Recovery Expert In The World 💯 ⬛️ Have you fallen victim to a fraudulent investment or crypto scam? Are you struggling to get back the money you lost? You’re not alone. Every day, countless individuals face the devastating impact of scam operations that drain their hard-earned savings. But there’s good news – we are here to help you recover what’s rightfully yours. ⬛️ Truth be told, the only Specialists that is capable of retrieving your lost funds from online scams, fraud and scam investment websites are Team of PROFESSIONAL HACKERS & CYBER FORENSIC EXPERTS, we are the Funds Recovery Expert who knows various Retrieval Techniques and Strategies that suits different scenarios of Scam ⬛️ At Funds Retrieval Panel, we specialize in Funds Recovery using advanced technology with the help of our Top notch hackers and cyber forensic experts that works cooperatively with the use of various Advanced technology softwares, hardwares and AI’s to retrieve your funds from fraudulent investments, crypto scams, and malicious online schemes. With years of experience in the financial and tech sectors, we are the trusted solution for individuals looking to recover lost money. ⬛️ We don’t just promise results – we deliver them. Our expert team has successfully recovered Billions of dollars for clients who have fallen victim to scams ⬛️ CONTACT US NOW to schedule your free consultation and start the process of recovering your funds. 🌍 www.fundsretrievalpanel.com 🌍 📩 info@fundsretrievalpanel.com✉️
How I Got My Lost Money Back with Help from Ultimate Hacker Jack Hello everyone. I would like to thank ULTIMATE HACKER JACK for his help in returning my $790,000,000 worth of cryptocurrency that had been stolen. Despite my skepticism, it worked and I got my money back. I had given up on ever receiving my money back from those shady companies that offered internet investments, so I'm really glad I found them. This is their email address. Info: Email address: ultimatehackerjack@seznam.cz WhatsApp: +44 7..7..6..5..2..4..9..1..4..5.
How I Got My Lost Money Back with Help from Ultimate Hacker Jack Hello everyone. I would like to thank ULTIMATE HACKER JACK for his help in returning my $790,000,000 worth of cryptocurrency that had been stolen. Despite my skepticism, it worked and I got my money back. I had given up on ever receiving my money back from those shady companies that offered internet investments, so I'm really glad I found them. This is their email address. Info: Email address: ultimatehackerjack@seznam.cz WhatsApp: +44 7..7..6..5..2..4..9..1..4..5.
How I Got My Lost Money Back with Help from Ultimate Hacker Jack Hello everyone. I would like to thank ULTIMATE HACKER JACK for his help in returning my $790,000,000 worth of cryptocurrency that had been stolen. Despite my skepticism, it worked and I got my money back. I had given up on ever receiving my money back from those shady companies that offered internet investments, so I'm really glad I found them. This is their email address. Info: Email address: ultimatehackerjack@seznam.cz WhatsApp: +44 7..7..6..5..2..4..9..1..4..5.