The multi-chain lending protocol Hundred Finance has experienced a major security breach on the Ethereum layer 2 Optimism blockchain. According to the protocol on Twitter, the losses amount to 7.4 million dollars.
hundred finance Announced the exploit on April 15, saying that it had contacted the hacker and was working with various security teams on the incident. Although the protocol did not disclose how the attack was executed, blockchain security firm Certik noted that it was a hit-and-run attack:
#AlertCertiKSkynet @CienFinanzasThe attacker manipulated the exchange rate between ERC-20 tokens and htokens, allowing them to withdraw more tokens than they had originally deposited. Estimated losses from this attack are around $7.4 million.
Keep alert! https://t.co/1hxAnFoNjj
โ CertiK Alert (@CertiKAlert) April 15, 2023
Flash loan attacks occur when a hacker borrows a large amount of funds through a flash loan (a type of unsecured loan) from a lending protocol. The hacker then combines it with other techniques to manipulate the price of an asset in a decentralized finance (DeFi) platform.
In the Hundred case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:
"The exchange rate formula was manipulated through cash value. Cash is the amount of WBTC held in the hBTC contract. The attacker manipulated it by donating large amounts of WBTC to the hToken contract to drive the exchange rate up."
Certik says large loans were taken under the manipulated exchange rate. Hundred Finance is preparing a postmortem report on the incident.
This attack comes almost 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At that point, the hacker drained all liquidity from the protocol through a reentrancy attack. More than $6 million was lost. In the same exploit, the hacker also stole funds from the Agave protocol.
Since last year, various perpetrators have used quick lending attacks to target DeFi protocols. Recent cases include attacks against Euler Finance ($196 million) and Mango Markets ($46 million). While Euler's trick returned most of the fundsthe Mango thief has been arrested by United States authorities.
Magazine: Should Crypto Projects Ever Deal With Hackers? Probably
Post navigation
