Posted on April 16, 2023 at 9:47 PM
DeFi lending platform Hundred Finance commences investigations into a $7M exploit
Hundred Finance, a multi-chain lending protocol, has revealed that it lost around $7 million after being exploited on Optimism, an Ethereum layer-2 blockchain. The protocol said that it contacted the hacker after this hack to find an amicable solution.
Hundred Finance loses $7M after hack
The team at the multi-chain lending protocol said that it had commenced investigations into the matter and how this attack had been conducted. The company has advised the community against speculating until it clarifies the matter through an official statement.
Hundred Finance has said that it will hold talks with the hacker to recover some of the funds stolen in this breach. The protocol further published another tweet saying it was discussing the breach with other security teams.
“We advise not to speculate on how the attack was executed, team is preparing a post mortem. Main focus is establish coms with hacker, reach an agreement. In parallel, we are gathering all information available in order to have that handy for possible further steps,” the protocol said.
The Hundred Finance community also discussed this breach in the community’s Discord server. A pseudonymous team member at the DeFi lending protocol on Discord, acidbird, said that the attacker had not responded to the calls for a discussion. However, the individual said that the company was working in all the possible scenarios.
The Discord server member further said that this breach had affected the team financially. One of the affected individuals had stored all their stablecoins on the protocol. On Sunday, Hundred Finance urged those affected by the breach and in New York to contact the protocol on Twitter or Discord.
Hundred Finance initially warned people of this breach on Saturday on Twitter. The CertiK blockchain security firm detailed this attack, saying that the hacker managed to steal $7.4 million worth of digital assets after they manipulated the exchange rate between ERC-20 and hTOKENS.
hTOKENS power the Hundred Finance ecosystem. These tokens have been described as interest-bearing and are a tokenized representation of deposits by users. The value of these tokens can fluctuate depending on the activities of the other borrowers on the platform.
The attack in question involved wrapped Bitcoin, which is an Ethereum-based token that is fully backed by Bitcoin. The attacker withdrew more tokens than they had deposited on Hundred Finance. The attacker initially donated many wrapped Bitcoin to the Hundred Finance smart contract, which set the exchange rate between wrapped Bitcoin and the Hundred Finance wrapped Bitcoin (hwBTC).
The exploiter manipulated the exchange and took out a massive loan. They also received the money donated after redeeming a small amount of Wrapped Bitcoin by Hundred Finance.
Numen Cyber Technology, a Web3-focused security company, said that the loss reported by Hundred Finance includes more than 1,000 ETH, around 1.2 million of the stablecoin USDC, around 1.1 million of Tether and nearly 843,000 of the stablecoin DAI, and other tokens.
It is not the first time that Hundred Finance has been hacked. The recent hack on the Optimism blockchain happened more than one year after the protocol was exploited on Gnosis Chain. The incident has resulted in Hundred Finance temporarily pausing markets across multiple chains.
Increased hacks in the crypto market
SushiSwap, a decentralized finance protocol, was also the victim of a recent exploit because of a smart contract bug that resulted in more than $3 million in losses. The exploit resulted in a significant loss for the platform even as developers said they could recover some of the stolen funds by engaging the services of a white hat.
The hack on SushiSwap has been termed “weird” by some community members because of how it occurred. The exploited router contract was “used by almost no one” and was only hacked after receiving initial transactions. Some community members say the breach appeared as if someone was waiting for the right time to strike.
A hacker also minted one quadrillion yUSDT tokens after exploiting an old Yearn.finance contract. The hacker exchanged these tokens for $11.6 million worth of stablecoins. After an initial check, Yearn.finance said the issue was limited to iearn, an outdated contract before vaults v1 and v2.
The Bitrue cryptocurrency exchange also suffered a massive attack. The attack resulted in the theft of $23 million from the cryptocurrency exchange. The breach happened in one of the hot wallets belonging to the exchange.