Multi-chain lending protocol Hundred Finance experienced a significant security breach on the Ethereum layer-2 Optimism blockchain. According to the protocol on Twitter, the losses amount to 7.4 million dollars.
Hundred Finance announcement the exploit on April 15, saying he contacted the hacker and was working with various security teams on the incident. Although the protocol did not reveal how the attack was executed, blockchain security firm Certik noted that it was a flash loan attack:
#CertiKSkynetAlert @HundredFinanceThe attacker manipulated the exchange rate between ERC-20 tokens and htokens, which allowed them to withdraw more tokens than they initially deposited. The estimated losses from this attack are approximately $7.4 million.
Stay alert! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
Flash loan attacks take place when a hacker borrows a large amount of funds through a flash loan (a type of unsecured loan) from a lending protocol. The hacker then combines it with other techniques to manipulate the price of an asset on a decentralized finance (DeFi) platform.
In the case of Hundred, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:
“The exchange rate formula was manipulated via cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate increases.”
Certik says significant borrowings were taken under the manipulated exchange rate. Hundred Finance is preparing a post-mortem report on the incident.
This attack comes nearly 12 months after Hundred was exposed to another exploit on the Gnosis Channel. At that point, the hacker drained all liquidity from the protocol through a reentry attack. Over $6 million was lost. In the same exploit, the hacker also stole funds from the Agave Protocol.
Since last year, a number of authors have used flash lending attacks to target DeFi protocols. Recent cases include attacks on Euler Finance ($196m) and Mango Markets ($46m). While Euler’s hack returned most of the funds, the Mango thief was arrested by US authorities.
Magazine: Should crypto projects ever negotiate with hackers? Probably
