The Ethereum layer-2 blockchain Optimism witnessed a significant security breach involving multichain lending protocol Hundred Finance. According to the protocol, the losses amount to $7.4 million.
#CertiKSkynetAlert 🚨@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
— CertiK Alert (@CertiKAlert) April 15, 2023
Stay vigilant! https://t.co/1hxAnFoNjj
For these cases, the feature enables arbitrage, refinancing and other operations for user profit during the loan period. However, the fees are to be repaid within the same transaction. If not, the transaction is reversed and no funds are disbursed. Flash loans can be useful for legitimate purposes, malicious actors have exploited them to execute flash loan attacks, such as in the case of Hundred Finance.
Other examples include the exploits on , , , , and , among a slew of other DeFi protocols falling victim to the same method. This attack occurs nearly 12 months after Hundred Finance suffered another exploit on the Gnosis Chain, which saw a hacker drain all of the protocol's liquidity through a reentrancy attack and abscond with over $6 million. The same threat actor also extracted funds from the Aave protocol.
CertiK explained that in Hundred's case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, enabling them to withdraw more tokens than initially deposited. CertiK further elaborated:
"The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up."
CertiK disclosed that massive loans were taken under the manipulated exchange rate, and Hundred Finance was working on a postmortem report for the incident.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Investment Disclaimer
North Korean Hackers Target Crypto Users with Chrome Vulnerability
Pump, Dump, and Jump: Trading Firm Faces Lawsuit Over Token Manipulation