The attacker reportedly manipulated the exchange rate between ERC-20 tokens and hTOKENS to steal over $7 million from the protocol.
Multichain lending protocol Hundred Finance has experienced a significant security breach on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses sit at $7.4 million.
Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with various security teams on the incident. Although the protocol didn’t reveal how the attack was executed, blockchain security firm CertiK said it was a flash loan attack:
Flash loan attacks involve a hacker borrowing a large amount of funds via a type of uncollateralized loan from a lending protocol. The hacker then uses these funds to manipulate the price of an asset on a decentralized finance (DeFi) platform.
In Hundred’s case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:
“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”
Certik says that large loans were taken out under the manipulated exchange rate. Hundred Finance was preparing a postmortem report on the incident.
This attack comes almost nearly 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At that time, the hacker drained all of the protocol’s liquidity through a reentrancy attack, taking over $6 million. In the same exploit, the hacker also stole funds from the Agave protocol.
Since last year, a number of perpetrators have used flash loan attacks to target DeFi protocols. Recent cases include attacks against Euler Finance ($196 million) and Mango Markets ($46 million). Eulerwhile ’s hacker returned most of the funds, Mango’s thief has been arrested by United States authorities.