Hundred Finance, a multichain lending technology, has suffered a severe security compromise on the Ethereum layer-2 blockchain Optimism. According to the procedure, the damages total $7.4 million.
On April 15, Hundred Finance announced the exploit, stating that it had contacted the hacker and was cooperating with multiple security teams on the problem. Although the protocol did not specify how the attack was carried out, blockchain security firm CertiK confirmed that it was a flash loan attack:
A flash loan attack involves a hacker borrowing a huge sum of money from a lending protocol via an uncollateralized loan. The hacker then manipulates the price of an asset on a decentralized finance (DeFi) platform with these funds.Â
According to Certik, in Hundred’s situation, the attacker changed the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than they had originally invested. “The exchange rate formula was manipulated through Cash value,” the blockchain security firm continued. The hBTC contract’s cash value is the quantity of WBTC it contains. The attacker manipulated the exchange rate by giving huge sums of WBTC to the hToken contract.”
Certik claims that substantial loans were taken out while the exchange rate was manipulated. Hundred Finance was putting together a post-mortem report on the incident. This assault comes over a year after Hundred was exposed to another Gnosis Chain exploit. At the time, the hacker used a reentrancy attack to drain all of the protocol’s liquidity, stealing nearly $6 million. The hacker also stole cash from the Agave protocol using the same attack.
Several criminals have utilized flash loan attacks to target DeFi protocols since previous year. Attacks on Euler Finance ($196 million) and Mango Markets ($46 million) are recent examples. While Eulerwhile’s hacker refunded most of the funds, Mango’s thief was apprehended by US police.
