Hundred Finance, a popular decentralized finance (DeFi) platform, has fallen victim to a cyberattack on the Optimism network, resulting in a loss of $7.4 million. The incident has sent shockwaves through the crypto community, raising concerns about the security of DeFi protocols.
According to sources, the hack occurred on April 15, 2023, when attackers exploited a vulnerability in the Optimism network, a layer 2 scaling solution for Ethereum, which Hundred Finance uses for faster and cheaper transactions.
Hackers move on to another crypto entity
According to reports, Hundred Finance disclosed the vulnerability on April 15, stating that it had contacted the hacker and was coordinating with multiple security teams to address the incident. Although the protocol did not reveal how the attack was carried out, blockchain security firm CertiK stated that it was a flash loan attack.
Hundred Finance is a multi-chain lending protocol that employs the veHND model for decentralized finance (DeFi). The protocol integrates with Chainlink‘s oracles to ensure market health and stability.
Flash loan attacks involve a hacker borrowing a large sum of money from a lending protocol in the form of an unsecured loan. The hacker then manipulates the price of an asset on a decentralized finance (DeFi) platform using the stolen funds.
According to Certik, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS in Hundred’s case, allowing them to withdraw more tokens than they had initially deposited.
On Hundred Finance’s website, hTOKENS are described as “interest-bearing, tokenized representations of user deposits” whose value fluctuates based on the activities of other borrowers. Additionally, wrapped Bitcoin, an Ethereum-based token backed 1:1 by Bitcoin, was utilized in the attack. The blockchain security company went on:
The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.
Certik
Certik claims that large loans were taken out while the exchange rate was manipulated. Hundred Finance was putting together a post-mortem report on the incident.
Hundred Finance’s response
Hours after the attack, the protocol team at Hundred Finance stated that it was preparing a post-mortem to determine how the attack occurred. In addition, the protocol instructed individuals not to speculate until an official statement provides clarification.
Additionally, Hundred Finance stated that it is attempting to communicate with the hacker in an effort to recover some or all of the stolen funds. Hundred Finance stated in a separate Tweet that it was also communicating with various security teams about the incident.
A member of the Hundred Finance team with the alias acidbird stated in a chatroom on the company’s Discord server that the “hacker is not talking yet” but that the team is working “on all possible scenarios.”
Moreover, according to acidbird, members of the Hundred Finance team have been “hit financially” by the attack, including one individual who had all of their stablecoins on the protocol.
On Sunday, the protocol requested that affected users based in the United States, specifically the state of New York, contact Hundred Finance via Twitter or the messaging application Discord.
Saturday, when the value of the protocol’s Hundred Finance token, HND, was approximately $0.0416, according to CoinGecko, Hundred Finance issued its first Twitter alert about the attack. Since then, it has dropped approximately 46% to $0.0212.
According to Web-3-focused security firm Numen Cyber Technology, Hundred Finance’s loss includes over 1000 Ethereum, approximately 1.2 million stablecoin USDC, approximately 1.1 million stablecoin Tethern, and nearly 843,000 stablecoin DAI, among other tokens.
This attack comes nearly a year after Hundred was exposed to another Gnosis Chain exploit. At the time, the hacker used a reentrancy attack to drain all of the protocol’s liquidity, stealing over $6 million. The hacker also stole funds from the Agave protocol using the same exploit.
Several perpetrators have used flash loan attacks to target DeFi protocols since last year. Attacks on Euler Finance ($196 million) and Mango Markets ($46 million) are recent examples. While Eulerwhile’s hacker returned most of the funds, Mango’s thief was apprehended by US authorities.
