This weekend, the DeFi Hundred Finance protocol suffered a hack of over $7 million. Last year, the project also had to endure an attack of similar magnitude.
Hundred Finance suffered a hack on Optimism
The multi-chain lending and borrowing protocol Hundred Finance (HND), suffered a hack this weekend, resulting in a loss of about $7.4 million.
This hack took place on layer 2 Optimism (OP), and although the protocol teams called “not on how the attack was executed”, as they were preparing an analysis, blockchain security firm CertiK has already looked into the matter.
This would therefore be due to a manipulation of the exchange rate formula between WBTC and hBTC, with hTokens being the proof of deposit received when providing liquidity on the protocol. By artificially adding large amounts of WBTC to the smart contract, the price changes and this allowed the attacker to withdraw more than he was eligible for as CertiK explained in his thread:
CertiKSkynetAlert @HundredFinance‘s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.
Stay vigilant! https://t.co/1hxAnFoNjj
– CertiK Alert (@CertiKAlert) April 15, 2023
In addition, Hundred Finance has invited those affected in the hack and residing in the United States, especially those in the state of New York, to get in touch. However, if one can speculate about a possible compensation, the reasons for this request have not been communicated publicly:
If anyone affected by the hack is from USA, specifically from NY, please reach out, dm this account or one of the team members on Discord. Thank you!
– Hundred Finance (@HundredFinance) April 16, 2023
Second attack in 13 months
This is not the first time Hundred Finance has been targeted by a hack. And for good reason, in March 2022, the protocol had suffered another attack to the tune of 2,363 ETH, or $6.2 million at the time. This episode took place on the Gnosis Chain (xDAI).
Moreover, it seems that the flaw we are talking about today is common to other protocols, as the Hundred Finance code is actually a fork of Coumpound V2. Thus, the project team has invited similar forks to contact them in order to discuss this vulnerability:
If you are a Compound V2 fork and we or our frens are not in contact with you already, please reach out so we share the information on the hack since it is a general flaw in the code and not specific to Hundred deployment.
Thank you
– Hundred Finance (@HundredFinance) April 16, 2023
At the same time, HND, the Hundred Finance token, has completely deviated. While it was trading at $0.043 before the events, it is now half that at $0.021 at the time of writing.
While the amounts involved may seem relatively small compared to other attacks that have taken place in the decentralized finance ecosystem (DeFi), it is worth noting that the protocol only claims $10.5 million in deposits. Depending on the turn of events to come, it could therefore be difficult for the project to recover.