Security Breach at Hundred Finance causes a loss of millions of dollars

Hundred Finance became a victim of a massive security breach over the weekend. This breach caused the lending protocol a loss worth more than $7 million.

Hundred Finance Announced On Twitter its Recent Security Breach

The news of this security breach came to light on Saturday, 15th April 2023. Hundred of Finance took to Twitter to announce this heavy security breach. The protocol further mentioned that it had communicated with the hacker and currently collaborating with many security teams to deal with this incident. However, the protocol has not yet revealed how this attack was executed.

Hundred Finance is a multi-chain protocol with a decentralized application (dApp). The protocol provides a platform to lend and borrow cryptocurrencies. According to its whitepaper, the protocol uses vote-escrow tokenomics for the cross-chain management of the protocol’s governance. The protocol also integrates a chainlink oracle for the health and stability of its market.

Lending Protocol Suffered a Loss of $7.4 Million

The security breach at this multi-chain lending protocol occurred on its Ethereum 2-layer blockchain called Optimism. According to Hundred Finance’s Twitter announcement, the losses currently are around $7.4 million.

Optimism Attack Was a Flash Loan Attack

A blockchain security firm called Certik had suggested that the attack was a flash loan attack. A flash loan attack is an attack on a DeFi platform that uses flash loans. A cyber thief borrows a huge sum of cryptocurrency via uncollateralized lending (a flash loan). Then they use this borrowed amount to influence the prices of some assets on the DeFi platform.

The Exchange Rate Between ERC-20 Tokens And hTokens Exploited For The Optimism Attack

According to speculations from Certik, the Optimism hackers exploited the exchange rate between ERC-20 tokens and hTokens. This manipulation enabled the hackers to withdraw more tokens than they had deposited. However, there is no official statement from Hundred Finance yet regarding how this attack was carried out.

What Are ERC-20 Token And hToken?

An ERC-20 token is used on the Ethereum blockchain. It is a standard which is used for creating and issuing smart contracts on the blockchain. The initial ERC means “Ethereum request for comment”. The ERC-20 standard was first implemented in the year 2015.

According to Hundred Finance’s official website, hTokens are tokenised representations of users’ deposits which bear their interest. Thus, its value can fluctuate based on the borrower’s activities.

hTokens are a collection of assets that are issued on the Ethereum blockchain. These tokens are backed by cryptocurrencies of other blockchains and act as a bridge connecting the centralized and decentralized cryptocurrency markets. hToken tries to bring in more digital assets to the DeFi system of Ethereum and allow users to efficiently access DeFi protocols.

hTokens are issued using both the ERC-20 and TRC-20 standards. Thus, they show the flexibility of both Ethereum and Iron networks. According to its whitepaper, hTokens are minted in a 1:1 ratio of collateralization. The value of hToken is pegged with other well-known cryptocurrencies.

Break Down Of The Attack By Blockchain Security Firm

Certik used Twitter to break down the Optimism security hack. According to the security firm, hackers manipulated the exchange rate using cash value.

Cash is the total value of WBTC that the hBTC contract has. The hacker influenced the exchange rate to go up by transferring a large sum of WBTC to the hToken contract.

#CertiKSkynetAlert ?@HundredFinance’s attacker manipulated the exchange rate between ERC-20 tokens and htokens which allowed them to withdraw more tokens than they had originally deposited. The estimated losses of this attack is around $7.4 million.

Stay vigilant! https://t.co/1hxAnFoNjj

— CertiK Alert (@CertiKAlert) April 15, 2023

After this, the hacker took out a large flash loan at this inflated exchange rate. Finally, the hacker received back the amount they had initially transferred by redeeming 1 hToken.

Hundred Finance Preparing a Post-Mortem Report On The Attack

On the 16th of April 2023, a day after the attack was publicly announced, Hundred Finance reached out to its community via Twitter. The tweet said that the protocol team is planning an investigation and aim to reach the bottom of the attack.

Currently, the protocol’s main agenda seems to be about establishing contacts with hackers for some agreement. To achieve this their team has already initiated a conversation with the hackers.

They further added that their team is tirelessly collecting vital information to prepare for the next step after this debacle. Meanwhile, they have advised the public not to rely on any other speculations other than Hundred Finance’s official source. They lastly added that the community will be updated as they gather more information.

Previous Attack On Hundred Finance’s Gnosis Chain

The Optimism Attack was not the first attack on Hundred Finance’s Gnosis Chain. Almost a year ago, the protocol suffered another blow when the cyber thief had taken all of the protocol’s liquidity.

The previous attack was a reentrancy attack and had caused Hundred Finance a loss of over $6 million. During that cyber hack, the cyber thief also drained funds from the Agave protocol.

Flash Loans Becoming A Serious Threat For DeFi

Flash loans are becoming a serious threat to DeFi protocols and have been in a surge at the moment. Flash loan attacks are becoming a common type of DeFi attack as it is quick to pull off and easy to get away with. This type of cyber attack only takes a few seconds and can affect more than 4 DeFi protocols. To date, flash loan attacks have caused losses of millions of dollars.

Since 2022, several cyber hackers have attacked DeFi protocols via flash loan attacks. Some well-known recent flash loan cases are Euler Finance with a loss of $196 million, and Mango Markets with a loss of around $46 million.

Related Articles

1. How to Invest in DeFi
2. How to Get Into Crypto