Decentralized Finance (DeFi) protocol, Hundred Finance suffered an exploit on Ethereum (ETH) layer2 scaling solution Optimism, resulting in a loss of nearly $7 million.
On April 16, security auditing firm CertiK took to Twitter to reveal the hack was a flash loan attack that allowed the hacker to manipulate the exchange rate between ERC-20 tokens and hTOKENS, allowing the perpetrators to withdraw more tokens than originally deposited.
As per the security firm, the hacker donated a large amount of Wrapped Bitcoin (WBTC) to hTOKENs contract, causing the exchange rate to rise. Following this, the attacker capitalized on that rate to take a large borrows position under the new exchange rate and redeemed the initial amount they deposited. This eventually resulted in the mammoth loss for Hundred Finance.
#CertiKSkynetAlert 🚨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
How Did The Exploit Happen?
Meanwhile, as per another blockchain security firm Peckshield, the hacker stole the funds by donating 200 WBTC to inflate the exchange rate for hWBTC. This made it possible to drain the lending pools with the meager amount of hWBTC deployed by the bad entity. The diagnosis came after Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with various security teams regarding the exploit. CertiK wrote,
“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”
Estimated current loss is ~7m USD.
Once again we hope the hacker will reach out back to us and we will be able to find a joint solution to resolve this matter. 🙏
Thank you everyone for your support and help during these difficult times. ❤️ https://t.co/wLGAl4AAGA
— Hundred Finance (@HundredFinance) April 15, 2023
This is not the first time Hundred Finance suffered an attack. Last year, Hundred was exposed to another exploit on the Gnosis Chain where the hacker drained all the protocol’s liquidity through a reentrancy attack, resulting in a loss of over $6 million. In the same exploit, the hacker also stole funds from the Agave protocol.
DeFi Attacks On The Rise
DeFi hacks have witnessed a dramatic upsurge over the recent years with attackers stealing almost a whopping $119 million in crypto in 19 breaches already since the beginning of this year. The biggest DeFi hack so far this year was February’s of Bonq DAO, a decentralized borrowing protocol. Hackers compromised the protocols’ smart contract and manipulated the price of alliance Block tokens, draining a massive $88 million of crypto out of the protocol.
As per various reports, since 2011, more than a staggering $16.7 billion worth of cryptocurrency has gone missing in various hacks and scams. Recently, a Hong Kong based 55-year-old woman lost nearly $891,723 in two months after falling victim to an online cryptocurrency investment scam.