- Hackers attacked the Hundred Finance multi-chain lending protocol on April 15, 2023.
- The breach occurred on the DeFi platform’s Optimism Layer 2 scaling solution.
- Hundred Finance has sent a message to the hacker and claims to be in talks with different security teams.
Hackers attacked the Hundred Finance multi-chain lending protocol on Saturday, April 15, 2023. According to PeckShield, the blockchain security and data analytics company, the DeFi lending protocol incurred a loss of around $7 million during the attack.
The loss of today's @HundredFinance hack is ~$7m.The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.Here comes the hack tx: https://t.co/ryPYk74dgE https://t.co/YbfnTvf1Uw pic.twitter.com/QbsbZBfemJ— PeckShield Inc. (@peckshield) April 15, 2023
A report by PeckShield revealed a hacker exploited the lending protocol by donating 200 WBTC to inflate hWBTC’s exchange rate. That allowed the hacker to drain the lending pools using small amounts of hWBTC.
Hundred Finance originally announced the protocol breach via its official Twitter handle. According to the DeFi lending platform, the breach occurred on its Optimism Layer 2 scaling solution. The announcement reads:
It looks like Hundred got hacked on Optimism. We will update you when there is more information about it.
Following the announcement, multiple users attempted to analyze the hack, providing alternative results to what happened. Some of them posted their analysis as replies to Hundred Finance’s tweet.
A user who analyzed the transaction on Etherscan noted two contracts could mint hWBTC. According to the user, both mints have slightly different ratios in the fifth decimal place, and the hacker tested both mints before the hack.
Another user provided a more detailed description of the hack, noting that the hacker executed the hack using a unique attack loop involving minting, transferring, borrowing, redemption, and liquidating tokens.
Today's Hundred Finance attack has a pretty unique attack loop.Mint, redeem it all – 2, transfer it back to the ctoken contract(!), borrow a lot(!), take the target funds, redeem the big pile of the original currency(!), liquidate the child attack contract, and redeem 1. pic.twitter.com/TNseoCeon3— Daniel Von Fange (@danielvf) April 15, 2023
In a follow-up tweet, Hundred Finance announced to its customers that it had sent a message to the hacker and claimed to be in talks with different security teams. It also solicited help from the public on how to resolve the issue.
The platform also advised users to desist from further speculations about the attack. It claimed that the project’s team is preparing a post-mortem, noting that its primary focus is to establish communication with the hacker and negotiate an agreement.
The post Hundred Finance Lending Protocol Loses $7M to Hack on Optimism appeared first on Coin Edition.