The Ethereum layer-2 blockchain Optimism witnessed a significant security breach involving multichain lending protocol Hundred Finance. According to the protocol, the losses amount to $7.4 million.
Hundred Finance disclosed details of the exploit on April 15. According to the disclosure, their team has already contacted the hacker and was collaborating with various security teams to address the incident. Although the protocol did not divulge the attack's exact methodology, blockchain security firm CertiK identified it as a flash loan attack:
#CertiKSkynetAlert ð¨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.— CertiK Alert (@CertiKAlert) April 15, 2023
Stay vigilant! https://t.co/1hxAnFoNjj
Flash loan attacks involve hackers borrowing large sums through uncollateralized loans from lending protocols, which they then use to manipulate an asset's price on a decentralized finance (DeFi) platform. A flash loan operates as necessary feature in DeFi platforms, allowing users to borrow significant amounts of assets without collateral for short user-specified duration, typically within a single blockchain transaction.
For these cases, the feature enables arbitrage, refinancing and other operations for user profit during the loan period. However, the fees are to be repaid within the same transaction. If not, the transaction is reversed and no funds are disbursed. Flash loans can be useful for legitimate purposes, malicious actors have exploited them to execute flash loan attacks, such as in the case of Hundred Finance.
Other examples include the exploits on , , , , and , among a slew of other DeFi protocols falling victim to the same method. This attack occurs nearly 12 months after Hundred Finance suffered another exploit on the Gnosis Chain, which saw a hacker drain all of the protocol's liquidity through a reentrancy attack and abscond with over $6 million. The same threat actor also extracted funds from the Aave protocol.
CertiK explained that in Hundred's case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, enabling them to withdraw more tokens than initially deposited. CertiK further elaborated:
"The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up."
CertiK disclosed that massive loans were taken under the manipulated exchange rate, and Hundred Finance was working on a postmortem report for the incident.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.