Faced with 200 million dollars of hesitation for three weeks, 19-year-old Euler hacker can't get over his conscience

原文标题：《HE STOLE $200 MILLION. HE GAVE IT BACK. NOW, HE'S READY TO EXPLAIN WHY》

Original Author: Zack Abrams, Coinage

Compilation: BlockBeats

On March 13, 2023, in just 18 minutes, a hacker stole nearly $200 million worth of cryptocurrency from Euler Finance, a popular lending platform, in the largest theft of the year. After just three weeks, he reversed the deal and returned everything he had stolen.

For the first time since the hack, the head of the operation came forward to explain his take on events and claim he had no intention of keeping the money at all.

Coinage spoke to the man who claimed to be the hacker, a young Argentinian named Federico Jaime, a claim supported by other significant evidence. This is his story.

Image credit: Instagram @federicojaimeok

It was around 3 a.m. on a cool March night in Rome, and Federico was standing outside a bar, waiting for friends and talking to God. The 19-year-old Argentine has been looking for something for the past month and he has yet to find it. He wondered why.

"Gosh, if all my projects are done in one month, why not this time?" he thought, looking up at the sky. "Why can't I hear it now, when I heard it before?" He was still hours away from returning to the hotel.

When he finally got home, he couldn't sleep, as usual. So, he decided to go to work.

Federico's prayers were answered almost immediately, perhaps prophetically. He found what he had been looking for: a bug in the code of a cryptocurrency lending program. He immediately set about exploiting his discovery.

“When I work, I work like an artist, like a writer,” Federico later told me over the phone in English, his second language. "Lack of sleep is a good thing in order to awaken the Muse."

Federico couldn't sleep for the next two days. When he finally wakes up in a hospital bed in Italy, he's worth $200 million more, but he feels a curse branded on his back.

Image credit: Instagram @federicojaimeok

The cryptocurrency world relies on transparency. Every transaction — sending money to a friend, buying an NFT, taking a loan — is public and irreversible. Applications running on the blockchain (called smart contracts) are likewise public; anyone can inspect the code for themselves.

As interest in cryptocurrencies has exploded over the past few years, so has an entire industry of decentralized finance applications, allowing cryptocurrency investors to exchange tokens, obtain loans, take leveraged bets on price movements and earn interest. About $45 billion in cryptocurrencies are currently committed to DeFi protocols; in the fall of 2021, this number exceeds $175 billion, roughly equivalent to the entire amount of deposits held by Morgan Stanley.

DeFi provides exciting financial innovations for cryptocurrency enthusiasts, in line with the rapid development and loose regulation of the cryptocurrency field. If you want to borrow $200 million without collateral, or speculate on “meme” cryptocurrencies like DOGE and PEPE, DeFi is the only way to go.

At the same time, hackers see DeFi as various digital bank vaults, each with a public blueprint (code open source), effectively inviting someone to try and rob. DeFi protocols have become a prime target for cryptocurrency hackers, who stole $2.2 billion from DeFi in 2021 and $3.1 billion in 2022, accounting for 80% of all stolen cryptocurrencies that year, according to cryptocurrency research firm Chainaanalysis above.

The most successful cryptocurrency hack to date is the Lazarus Group, with $1.1 billion of the $1.7 billion stolen from Lazarus in 2022 coming from DeFi exploits.

In the face of endless attacks, DeFi protocols respond by recruiting security firms to audit smart contracts, monitor threats, and even lure white-hat hackers (that is, hackers who flag vulnerabilities for rewards, rather than black-hat hackers who exploit them). Steal exploits for yourself. Even a heavily vetted DeFi protocol that takes every precaution can still fall victim to a powerful hack by sometimes just a 19-year-old with God on his side.

Image credit: Instagram @federicojaimeok

This can all be prevented with a single line of code.

Back at the hotel, as the sun rose over Rome, Federico started working on a DeFi lending protocol called Euler Finance, developed by London startup Euler Labs. Euler allows its users to take out loans up to ten times the value of their deposited collateral; put in $10,000 and you can trade like $100,000. But cryptocurrencies are volatile, and if prices move in the wrong direction, users' deposits may not be enough to secure redemption of their collateral. This is why every time a user interacts with Euler, the platform checks the health of their account and if the health score gets too low, an automatic liquidation is triggered.

But Federico saw something that wasn't there: a lack of health checks for a single function in a single Euler smart contract. In just a few hours of research, Federico found what Euler's team, as well as several independent smart contract auditors, had missed.

"It's just divine inspiration. It's just awakening my muse," Federico said. "Exactly, after a month of searching for what I was looking for...I found it."

Federico begins planning his attack. On March 13, after two days of non-stop programming, he was almost ready to execute. The only problem: he doesn't know how to deploy the smart contract, nor how much it will cost.

“I was googling, ‘how much does it cost to deploy a smart contract?’ and I found … articles saying ‘from $5,000 to $50,000,’” Federico said, raising his voice to echo the disbelief he felt. "WTF"

But Federico went ahead and eventually learned that actual contract deployment costs are much lower. At this point, a few days after he last slept in, Federico told me he wasn't thinking about money at all. "I think it's an experiment. Just an experiment," he explained. "I'm not sure it's going to work... I'm not sure I can deploy a smart contract. I'm more doubtful than certain."

"So I really underestimated the bug and myself because it finally worked," he added.

On the morning of March 13, 2023, at 9:54 am Italian time, Federico is sitting in front of his computer. Over the course of 18 minutes, the three wallets he used to launch the attack on Euler Finance stole $197 million worth of cryptocurrency from the protocol. The funds ended up all in one wallet — a virtual duffel bag filled with piles of hundred-dollar bills.

“First, I thought, this is so exciting. I cracked a huge deal, and then I thought, wow, $200 million. This is a curse on my back.”

Still unable to sleep, Federico had the hotel concierge call an ambulance.

![The 19-year-old Euler hacker couldn’t get past the 200 million dollar hesitation for three weeks] (https://img-cdn.gateio.im/social/moments-69a80767fe-8eb6cbd321-dd1a6f-7649e1)

Image credit: Instagram @federicojaimeok

The first to spot anomalies are bots, and some crypto security companies provide real-time threat monitoring and alerts for DeFi projects. In the case of the Euler hack, at least two security firms, Forta and Hypernative, were alerted before the attack began.

Unfortunately for Euler Labs, which declined to comment for this article, the automated alert came just minutes before the attack began, making it too early for the London-based startup to secure the protocol. ("We typically predict an attack between a minute and an hour," said Alex Behrens, Forta's marketing manager.)

At 8:59am UK time on Monday, March 11, blockchain security company PeckShield posted on social media "Hi @eulerfinance: you might want to take a look" and linked to a page showing that the wallet had hacked Euler's DAI Stablecoin supply, with more than $8.7 million in funds stolen.

Then, everyone watched Euler get hit again and again. The hacker stole $18.5 million in WBTC, then $116 million in stETH... In the end, the hacker made a profit of $197 million, and Euler's entire 6 token reserve was wiped out.

At 9:56 a.m., Euler quoted PeckShield on social media as saying: "We are aware that our team is currently working with security professionals and law enforcement. We will release further information as soon as we have it."

Because this is cryptocurrency, everyone can see the funds in the hacker's wallet. By looking at the wallet's transactions, security experts were able to reverse engineer the attack, eventually uncovering the single vulnerability that led to the theft. But also because it was cryptocurrency, Euler's team had no way of linking the wallet to a real-life identity, or understanding the hacker's intentions.

On March 13, the hackers' final act was to send 100 ETH (worth $168,000 at the time) via Tornado Cash, a "hybrid" transaction protocol on Ethereum that makes the funds harder to trace. Then, the wallet address is silent.

At 10:47 that night, the Euler team sent a message to the hacker wallet saying: "We understand that you are responsible for this morning's attack on the Euler platform. We are writing to see if you would like to discuss any possible next steps with us." This tentative communication marks the beginning of three difficult weeks for the Euler team.

The next day at 9:22 p.m., Euler's team sent another message to the hacker's wallet offering to return 90% of the stolen funds within 24 hours—leaving the hacker withhold the de facto $20 million bug bounty. Otherwise, Euler is offering a $1 million bounty to anyone who provides information leading to the hacker's arrest.

The hacker didn't respond.

On March 15th at 11:20am, the Euler team sent yet another message to the hacker's wallet, reiterating the previous bug bounty offer. “The investigation can then be stopped and the focus can shift to distributing it back to protocol users without going the legal route,” Euler’s team wrote.

At 10:06 p.m., after the hackers remained silent, the Euler team announced a $1 million reward for information leading to the hacker's arrest and the recovery of funds. The next day, Euler co-founder and CEO Dr. Michael Bentley shared his response to the attack, calling the previous few days the hardest of his life and expressing his grief for the users affected.

"I had to sacrifice time with my newborn son," Bentley tweeted. “I will never forgive the attackers, but they can correct their mistakes and return funds to EulerDAO Treasury as soon as possible.”

Image credit: Instagram @federicojaimeok

Federico Jaime claims he never intended to keep the money. “I knew from the beginning that $200 million was not a small number, it would cause huge damage to the DeFi community, and that was not my goal at all.”

We'd all like to know, even for a moment, if Federico ever wondered what $200 million could buy, imagined himself living in a mansion? On a yacht?

"Never, not at all, because I'm an entrepreneur. I can make money legally and flawlessly. I don't need to steal. I have no reason to take other people's money."

For most people, such a comment would be nothing more than rolled eyes. After all, the crypto community is not known for its humility. But I've seen pictures of Federico traveling around Europe, staying in five-star hotels, and wearing designer streetwear. In our conversations over the phone and the occasional text, I asked Federico, who turns 20 in June, how he maintains his lifestyle.

Federico grew up in Buenos Aires with his parents and younger sister. Inspired by his software engineer father, he learned to program at age 12 and sold his first program, a plugin for the video game Minecraft, for $10,000 at age 14. "It means freedom because I no longer have to ask my parents for money and they applaud me."

When he grew up, Federico moved on to a new game, GTA V, where he developed an anti-cheat system for a custom multiplayer server run by die-hard fans of the game. "I found a memory read bug. I saw that we could profit from it," Federico said, adding that the software, FiveGuard, is now owned by someone else. "It's special because when you get onto a game server with some sort of unfair advantage, you get banned immediately."

Federico originally planned to go to Argentina for law school, but after graduating in 2020 and dealing with the new crown epidemic (there are many local restrictions and a long quarantine period in Buenos Aires), Federico, after obtaining the consent of his parents, he decided to Take a long vacation before college.

In early October last year, Federico traveled to Rome. In December, he allegedly targeted Buenbit, a cryptocurrency exchange operating in Argentina, Mexico and Peru, and stole hundreds of thousands of dollars. Buenbit CEO Federico Ogue characterized the attack as fraudulent. News reports citing police sources put the cost of the attack at $800,000, a figure Federico denied.

Federico would not comment on the specifics of the case, and while he acknowledged that he targeted Buenbit, he also claimed that many of the more exciting details in media reports were either misleading or outright fabricated. The 20-year-old maintains his innocence in the case, noting that he and his lawyer are in contact with Buenbit's team and that he hopes the matter will be resolved as soon as possible.

And, just a few months later, Federico has new worries, this time 200 million.

![The 19-year-old Euler hacker couldn’t get past the 200 million dollar hesitation for three weeks] (https://img-cdn.gateio.im/social/moments-69a80767fe-d0430818da-dd1a6f-7649e1)

Image credit: Instagram @federicojaimeok

At the time of the attack, Euler Finance had as many as 7,000 users. Two days later, on March 15, one of the victims decided to send a message to the hacker's wallet (Federico's wallet).

"Please consider returning 90%/80%. I am a user with only 78 wstETH, and as a user who has saved my life savings in Euler, I am not a whale or a millionaire." DL News confirmed that the user is an Argentinian named Santiago Avalos Blockchain developers, he wrote. "You can't imagine the chaos I'm in right now, totally devastated... Your decision will be a relief to many affected."

Avalos' life savings of 78 wstETH was worth over $140,000 at the time. Thirteen hours after Avalos sent the message, Federico responded, but not via text message. Instead, Federico made his first move since the hack three days ago, sending 100 ETH to Avalos, about $27,000 more than the victim lost in the Euler crash. Avalos transferred the excess funds back to Euler, saying, "I believe he may have been moved by my message."

“It’s a gesture of my heart,” Federico said of his motivation for returning the funds. "I was being generous. Also, I later found out that this guy...was also Argentinian and a Solidity developer," he added. "It's a very interesting coincidence indeed."

Federico has not yet completed the funds transfer. Combined with the fact that he has sent himself a total of 1,100 ETH via Tornado Cash twice, this brings his earnings to nearly $2 million. When I asked him why, Federico told me: “I didn’t think much about it. I thought, if they give me 10% of the bounty, it’s too much for me. I’ll try to take 1% of it.”

His next move is by far the most confusing. On March 17, just before 5am, Federico sent 100 ETH again, this time to a notorious wallet that had carried out one of the largest cryptocurrency hacks in history a year earlier - from the Ronin Bridge stole more than $600 million. Just one month later, the U.S. Treasury Department's Office of Foreign Assets and Control (OFAC) officially linked the Ronin Bridge vulnerability to the Lazarus group.

Yet when I asked him about it, his explanation blew me away. "I had no idea this was North Korea. I never suspected it," he began. “The reason I sent 100 ETH to Ronin exploiters was pure admiration… I guess, from white hat hackers to black hat hackers, I wanted to express my admiration.”

I was stunned and Federico saw it too. "I know you didn't expect me to say that, but it's true," he replied. "I think this is the most important area in the world today, and the Ronin hack was an act of engineering. In that sense, it's admirable... Demons can be beautiful women."

The next day, Federico began returning the funds, initially in three installments of 1,000 ETH each, totaling approximately $5.4 million at the time. Then, his wallet went dormant again. Analysts were skeptical at the time that Euler would be able to recover the remaining funds.

But two days later, on March 20, Federico sent his first message to Euler's team: "We want to make it easy for everyone affected. No intention of keeping things that don't belong to us. Set up secure communications. Let's Let's make a deal."

Federico admitted the news was a bit late: "I was trying to decide if it was a good idea to keep $20 million to myself ... because that's what Euler offered me," he said. "I was really unprepared, inexperienced, and new... I didn't sleep for days, weeks, but at the end of the day, I knew I had to give it back, and I knew I didn't want to do any damage to Euler's user base. "

Still, it took Federico a while to return the funds. On March 25th around 3pm, 81,953 ETH (approximately $143 million) was first seen. Then on the 27th, $10 million in DAI followed. At 3 a.m. on the 28th, Federico publicly apologized, saying, "I screwed up. I didn't want to, but I messed up other people's money, other people's work, other people's lives... please forgive me." However, some funds were still under his control.

Finally, on April 3rd, the Euler team excitedly announced that after the hacker's last few transactions, all "recoverable funds" had been returned. Euler also officially revoked the $1 million bounty on Federico's head. The return of funds marked one of the most successful recoveries in DeFi history, and Federico was relieved that it was all over.

Then, two and a half months later, Federico's wallet became active again, sending messages to himself. The first was on June 17th, with just two words: "Ben yre" - Buenos Aires. Seventeen minutes later, another message came from the wallet, also in Spanish, claiming to be an Argentinian, Peronist, and white hat hacker. The message's advice to fellow hackers: "Don't be stupid, don't steal, earn the bounty."

At the end of the message, the wallet is linked to an Instagram account - @federicojaimeok. I sent him a private message. We started talking on Instagram, where Federico's stories are archived since September 2022, and then we talked on Telegram. During our conversation, everything this man told me matched up with what I had learned about Federico from other sources. Federico also provided me with his father's phone number, who confirmed his identity and relationship to Federico, and provided me with other information that matched what Federico had told me.

Federico told me that he decided to show up not for his own benefit, but for the benefit of the DeFi community. "I want to encourage ethical hacking, that's the main reason, and I want to be able to have a voice and tell people to do the right thing."

Federico also hopes that Euler's tactics of negotiating with attackers will set a precedent for other parts of DeFi to follow. “I’m sure the hacking scene in decentralized finance will be different after the Euler hack. I think it shows the world the importance of auditing, and the importance of negotiating after a hack,” he said.

Erin Plante, vice president of investigations at Chainalysis, said: "Not everyone in the cryptocurrency space is enthusiastic about bug bounties and hacker negotiations becoming the norm, though. Most DeFi hacks do not start from legitimate bug bounties. Instead of getting paid $100,000 or $500,000, they often demand 50% or more of the total amount of stolen funds as a commission, which is more like extortion.”

Plante also noted that as law enforcement agencies get better at tracking illicit cryptocurrencies, it becomes harder for hackers to cash out their winnings. "In this context, coupled with a collective decline in bounties across the industry, the incentives for hackers to do the work will hopefully change," she said.

Federico has repeatedly insisted to me that his plan from the start was to return the funds. So why did it take him three weeks?

"I want to have time to protect myself and find ways to be safe, legally and otherwise," he said.

Of course, some of Federico's claims cannot be verified. Federico told me that the design and implementation of the protocol was entirely his job (“I did it all myself”), though he occasionally gets advice from a colleague, such as a list of DeFi protocols to research (which is more Like masking the involvement of others, since there is no way to determine who wrote the code from the on-chain data we have.)

We'll also never know if Federico would have kept the money had he planned the attack better. He admitted to me that he regretted not thinking about the consequences, but said it was just about doing the right thing. "I just didn't plan enough and the amount was too big for me to handle," he said.

Federico told me he regrets the pain he caused Euler's team. "When I read Michael Bentley's tweet saying he had to sacrifice time with his family, it broke my heart," he said. When I asked him if he was concerned about future repercussions from the attack, he dismissed those concerns. “I am confident that, legally, the Euler team will not be able to retroactively trace me back, as this would prevent future hackers from returning funds.”

To the delight (and almost disbelief) of victims, Euler Finance began paying out compensation to attack victims on April 12th. The impact of the vulnerability has spread to 11 other DeFi protocols. One of them (Yield Protocol) did not resume until June 27th. Euler Finance has been crippled since the hack.

Federico, still in Europe, described his personal situation as "complicated" but said he hoped to return to Buenos Aires soon to continue his studies. "My life hasn't been that easy since the Euler hack and it's left me stressed."

I asked Federico if he thought God, seemingly answering his prayers, was teaching him a lesson. "I think he's either playing a game with me or (testing) me," he replied.

Federico hasn't made up his mind yet.