Hundred Finance, a multi-chain lending protocol, has been targeted in a security breach on the Optimism layer-2 scaling network, resulting in the theft of approximately $7 million worth of assets. The platform confirmed the exploit on April 15 and is currently negotiating with the hacker, while also working with various security teams to resolve the issue. Hundred Finance is urging anyone with information on the incident to come forward.
Estimated current loss is ~7m USD.
Once again we hope the hacker will reach out back to us and we will be able to find a joint solution to resolve this matter. 🙏
Thank you everyone for your support and help during these difficult times. ❤️
— Hundred Finance (@HundredFinance) April 15, 2023
What Happened?
According to blockchain security firm Peckshield, the hacker executed the attack by donating 200 WBTC to inflate the exchange rate for hWBTC, allowing them to drain Hundred Finance’s lending pools with a tiny amount of hWBTC. CertiK, another security firm, suggests that the attacker manipulated the exchange rate between ERC-20 tokens and hTokens by donating large amounts of WBTC to the hToken contract to increase the exchange rate. The exploiter then opened a large borrow position under the new exchange rate, which allowed them to withdraw more tokens than they had initially deposited.
The protocol is currently preparing a post-mortem on how the exploit occurred and is advising people not to speculate on it, stating that the focus is to establish communications with the hacker to reach an agreement for a refund.
We advise not to speculate on how the attack was executed, team is preparing a post mortem.
Main focus is establish coms with hacker, reach an agreement.
In parallel we are gathering all information available in order to have that handy for possible further steps.
Thank you
— Hundred Finance (@HundredFinance) April 16, 2023
Not the First
This is not the first time Hundred Finance has been targeted by hackers. Last year, the platform suffered a reentrancy attack resulting in a loss of approximately $6.5 million worth of ETH to the hacker. Despite the exponential growth of the DeFi space, a pressing issue that looms large is the escalating security threats. Recent data from blockchain analytics platform Chainalysis reveals that DeFi protocols were hit the hardest in 2022, accounting for a staggering 82% of all stolen crypto assets, equivalent to $3.1 billion in losses.
