Multi-chain lending protocol Hundred Finance was exploited over the weekend, losing more than $7 million in a flash loan exploit.
The protocol’s team disclosed the exploit on Saturday, telling users they had reached out to the hacker and were in talks with various security teams in an effort to recover the funds. The protocol was exploited on Ethereum Layer 2 network Optimism.
It looks that Hundred got hacked on #Optimism. We will update when there is more information to it.
— Hundred Finance (@HundredFinance) April 15, 2023
Estimated current loss is ~7m USD.
Once again we hope the hacker will reach out back to us and we will be able to find a joint solution to resolve this matter. 🙏
Thank you everyone for your support and help during these difficult times. ❤️ https://t.co/wLGAl4AAGA
— Hundred Finance (@HundredFinance) April 15, 2023
Analysis from blockchain security firm CertiK estimated the total losses from the exploit are closer to $7.4 million. CertiK found that the exploiter orchestrated the attack by manipulating the exchange rate between ERC-20 tokens and hTOKENS.
hTOKENS are Hundred Finance’s interest-bearing tokens that represent user deposits on the platform. These tokens conform to the ERC-20 token standard, but are subject to a fluctuating exchange rate based on the level of borrowing by other users.
According to CertiK, the hacker manipulated the exchange rate through Cash value – something that represents the amount of Wrapped Bitcoin (wBTC) that the hBTC contract holds. The attacker donated larger amounts of wBTC to the hTOKEN contract in order to move the exchange rate higher.
The attacker then borrowed a large amount under this inflated exchange rate and got back the amount donated by redeeming 1 hTOKEN.
Today's Hundred Finance attack has a pretty unique attack loop.
Mint, redeem it all – 2, transfer it back to the ctoken contract(!), borrow a lot(!), take the target funds, redeem the big pile of the original currency(!), liquidate the child attack contract, and redeem 1. pic.twitter.com/TNseoCeon3
— Daniel Von Fange (@danielvf) April 15, 2023
Another blockchain security firm, Numen Cyber Technology, broke down the hacker’s loot, finding that the exploiter stole 1,030 ETH, 1.13 million USDT, 1.2 million USDC and 824,788 DAI along with a number of other synthetic and wrapped tokens.
Hundred Finance’s native token HND fell 45% after news of the exploit and was trading at around $0.02 at the time of writing.
The protocol suffered another exploit last year, which took place on the Gnosis chain in March 2022. At the time, Hundred Finance lost $6 million in a re-entrancy attack that also targeted the Agave protocol.