Multi-chain lending protocol Hundred Finance was exploited over the weekend, losing more than $7 million in a flash loan exploit. 

The protocol’s team disclosed the exploit on Saturday, telling users they had reached out to the hacker and were in talks with various security teams in an effort to recover the funds. The protocol was exploited on Ethereum Layer 2 network Optimism.

Analysis from blockchain security firm CertiK estimated the total losses from the exploit are closer to $7.4 million. CertiK found that the exploiter orchestrated the attack by manipulating the exchange rate between ERC-20 tokens and hTOKENS. 

hTOKENS are Hundred Finance’s interest-bearing tokens that represent user deposits on the platform. These tokens conform to the ERC-20 token standard, but are subject to a fluctuating exchange rate based on the level of borrowing by other users. 

According to CertiK, the hacker manipulated the exchange rate through Cash value – something that represents the amount of Wrapped Bitcoin (wBTC) that the hBTC contract holds. The attacker donated larger amounts of wBTC to the hTOKEN contract in order to move the exchange rate higher.

The attacker then borrowed a large amount under this inflated exchange rate and got back the amount donated by redeeming 1 hTOKEN.

Another blockchain security firm, Numen Cyber Technology, broke down the hacker’s loot, finding that the exploiter stole 1,030 ETH, 1.13 million USDT, 1.2 million USDC and 824,788 DAI along with a number of other synthetic and wrapped tokens.

Hundred Finance’s native token HND fell 45% after news of the exploit and was trading at around $0.02 at the time of writing.

The protocol suffered another exploit last year, which took place on the Gnosis chain in March 2022. At the time, Hundred Finance lost $6 million in a re-entrancy attack that also targeted the Agave protocol.