The attacker reportedly manipulated the exchange rate between ERC-20 tokens and hTOKENS to steal over $7 million from the protocol.
Multichain lending protocol Hundred Finance has experienced a significant security breach on the Ethereum layer-2 blockchain Optimism. According to the protocol on Twitter, the losses sit at $7.4 million.
Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with various security teams on the incident. Although the protocol didn’t reveal how the attack was executed, blockchain security firm Certik noted that it was a flash loan attack:
#CertiKSkynetAlert @HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
Flash loan attacks take place when a hacker borrows a large amount of funds via a flash loan (a type of uncollateralized loan) from a lending protocol. The hacker then combines it with other techniques to manipulate the price of an asset on a decentralized finance (DeFi) platform.
In Hundred’s case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:
“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”
Certik says that large loans were taken out under the manipulated exchange rate. Hundred Finance is preparing a postmortem report on the incident.
This attack comes almost nearly 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At that time, the hacker drained all the protocol’s liquidity through a re-entrancy attack. Over $6 million was lost. In the same exploit, the hacker also stole funds from the Agave protocol.
Since last year, a number of perpetrators have used flash loan attacks to target DeFi protocols. Recent cases include attacks against Euler Finance ($196 million) and Mango Markets ($46 million). While Euler’s hack returned most of the funds, Mango’s thief has been arrested by United States authorities.