Hundred Finance Suffers $7 Million Security Breach

Hacker Exploits Loophole in Lending Pools

Hundred Finance, a multichain lending protocol, suffered a security breach on the Optimism layer-2 scaling network, losing approximately $7 million in assets. The protocol first reported the news on April 15. 

After the attack, Hundred Finance said it would conduct a postmortem and advised people to refrain from speculating until it issued an official statement.

Moreover, the multi-chain lending protocol mentioned said it was trying to establish a dialogue with the hacker in hopes of recovering some or all of the funds. The protocol also stated that it was working with different security teams to resolve the issue.

One of the Hundred Finance team members who goes by acidbird via its discord server said the hacker was "not talking yet," but they are looking into all possibilities.

In addition, acidbird said the Hundred Finance team members had been financially affected by the attack, including one person who held all of their stablecoins on the protocol at the time.

In the meantime, Numen Cyber reported a loss of 1030 ETH worth over $2 million.

‍

Cause of the Attack

The hacker inflated the exchange rate for hWBTC by donating 200 WBTC, according to blockchain security firm Peckshield. With a tiny amount of hWBTC, they managed to drain Hundred Finance's lending pools.

The blockchain security firm CertiK described it as a flash loan attack:

A flash loan attack involves a hacker borrowing a large amount of money from a lending protocol in an uncollateralized transaction. Using these funds, the hacker manipulates an asset's price on a decentralized finance platform (DeFi). 

As Certik reports, Hundred's attackers changed the exchange rate between ERC-20 tokens and hTOKENS to withdraw more tokens. In addition, the attacker reportedly manipulated the amount of wBTC by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up. According to Certik, large loans were taken out under the manipulated exchange rate. 

Meanwhile, Hundred Finance asked American users affected by the attack, specifically those in New York, to contact the company on Twitter or Discord.

Uno Re, a decentralized finance (DeFi) risk-based insurance and reinsurance protocol, reached out to Hundred Finance following the latest development to offer assistance in tracing the funds and implementing security measures to reduce future risks. The company's co-founder, Jaskanwar Singh, tweeted that they are "actively tracing funds" in regard to the attack. 

It is worth noting that Hundred Finance has been hacked before. An exploiter took roughly $6.5 million worth of ETH from the protocol last year in a reentrancy attack.

Even though the DeFi space has grown exponentially, security threats are escalating. According to Chainalysis, DeFi protocols contributed 82% of all stolen crypto assets in 2022, equaling $3.1 billion in losses.

Hundred Finance ($HND) fell around 60% within nine hours of the attack. Currently, the token is trading at $0.02429, up 30.7% in 24 hours. 

‍

What is Hundred Finance:

Hundred Finance is a decentralised application (dApp) that allows cryptocurrency lending and borrowing. It is a multi-chain protocol that integrates with Chainlink oracles to ensure market health and stability while focusing on long-tail assets.

Learn more about Hundred Finance:

Website I Twitter I Discord