Over $7 million from the protocol was purportedly stolen by the attacker by manipulating the rate at which ERC-20 tokens and hTOKENS exchange.
A major security issue has been found in the Hundred Finance multichain lending protocol on the Ethereum layer-2 blockchain Optimism. According to a tweet from the protocol, the losses total $7 million.
On April 15, Hundred Finance announced the exploit and stated that it had been in touch with the hacker and was working with multiple security teams to address the issue. The protocol does not specify how the attack was carried out, however, the blockchain security company CertiK identified it as a flash loan attack:
#CertiKSkynetAlert 🚨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
Flash loan attacks involve hackers obtaining a significant amount of funds from a lending protocol in the form of an uncollateralized loan. The hacker then makes use of these funds to manipulate the decentralized finance (DeFi) platform’s asset price.
According to Certik, in Hundred’s scenario, the attacker manipulated the rate at which ERC-20 tokens and hTOKENS exchanged, enabling them to withdraw more tokens than they had initially invested. The blockchain security company continued on saying:
Through Cash value, the exchange rate formula was manipulated. The amount of WBTC that the hBTC contract holds is known as cash. By sending significant quantities of WBTC to the hToken contract, the attacker caused the exchange rate to rise.
According to Certik, significant loans were obtained while the exchange rate was manipulated. A post-mortem report on the incident was prepared by Hundred Finance.
Nearly a year has passed since Hundred had been exposed to another Gnosis Chain exploit before this attack. Using a reentrancy attack, the hacker then completely drained the protocol’s liquidity, stealing $6 million. The hacker also stole money from the Agave protocol exploiting the same attack.
DeFi Hacks in 2023
Many hackers have been using flash loan attacks to target DeFi protocols since last year. Recent incidents include attacks on Mango Markets ($46 million) and Euler Finance ($196 million). While Mango’s hacker has been arrested by American police, Eulerwhile’s hacker has refunded most of the stolen money.
This incident adds to the growing list of losses from hacks in 2023 and emphasizes the dangers of DeFi even further.