News

Hacker Exploits Hundred Finance Protocol In $7.4 Million Heist

Hacker Exploits Hundred Finance Protocol In $7.4 Million Heist

The multi-chain lending protocol Hundred Finance disclosed Saturday that it lost around $7 million after being hacked on the Ethereum layer-2 blockchain Optimism.

Estimated current loss is ~7m USD.

Once again we hope the hacker will reach out back to us and we will be able to find a joint solution to resolve this matter. 🙏

Thank you everyone for your support and help during these difficult times. ❤️ https://t.co/wLGAl4AAGA

— Hundred Finance (@HundredFinance) April 15, 2023

The protocol team said it was preparing a post-mortem on how the attack took place, and it advised people not to speculate until it provides clarity via an official statement.

Additionally, Hundred Finance said it’s trying to establish a dialogue with the hacker in hopes of recovering some or all of the stolen funds. In a separate Tweet, Hundred Finance said it was also talking to different security teams about the incident.

We advise not to speculate on how the attack was executed, team is preparing a post mortem.

Main focus is establish coms with hacker, reach an agreement.

In parallel we are gathering all information available in order to have that handy for possible further steps.

Thank you

— Hundred Finance (@HundredFinance) April 16, 2023

In a chatroom on Hundred Finance’s discord server, a pseudonymous member of the Hundred Finance team named acidbird said the “hacker is not talking yet” but the team is working “on all possible scenarios.”

Additionally, acidbird said that members of the Hundred Finance team have been “hit financially” by the attack, including one person that had all of their stablecoins on the protocol.

On Sunday, the protocol asked users impacted by the attack and based in the U.S., specifically the state of New York, to contact Hundred Finance on either Twitter or the messaging app Discord.

Hundred Finance first warned people on Twitter about the attack on Saturday, when the value of the protocol’s Hundred Finance token, HND, was around $0.0416, according to CoinGecko. Since then, it’s fallen around 46% to $0.0212.

It looks that Hundred got hacked on #Optimism. We will update when there is more information to it.

— Hundred Finance (@HundredFinance) April 15, 2023

The blockchain security firm CertiK broke down the attack on Twitter, explaining that the hacker was able to walk away with $7.4 million worth of digital assets after manipulating the exchange rate between Ethereum ERC-20 and hTOKENS.

hTOKENS are described as “interest-bearing, tokenized representations of user deposits” on Hundred Finance’s website, which can fluctuate in value depending on the activities of other borrowers.

The attack also involved wrapped Bitcoin, an Ethereum-based token that’s backed 1:1 by Bitcoin.

The attacker was able to withdraw more tokens than they had deposited to Hundred Finance, CertiK said. First, the attacker donated a large amount of wrapped Bitcoin to the smart contract on Hundred Finance that determined the exchange rate between wrapped Bitcoin and Hundred Finance Wrapped Bitcoin (hwBTC).

This inflated the exchange rate, after which the attacker took out a large loan and was then able to get the amount they had donated back by redeeming a relatively small amount of Hundred Finance Wrapped Bitcoin.

According to the Web-3 focussed security firm Numen Cyber Technology, the loss incurred by Hundred Finance comprises over 1,000 Ethereum, around 1.2 million of the stablecoin USDC, roughly 1.1 million of the stablecoin Tethern, and nearly 843,000 of the stablecoin DAI, among other tokens.

Total loss:

0.058 $WBTC
20,854 $SNX
1,265,978 $USDC
842,788 $DAI
1,113,430 $USDT
865,142 $sUSD
457,286 $FRAX
1,030 $ETH

— NumenAlert Ⓝ (@NumenAlert) April 16, 2023

The hack sustained by Hundred Finance on Optimism comes just over a year after the protocol was hacked on Gnosis chain, a blockchain project that runs on top of the Ethereum network. That incident caused Hundred Finance to temporarily pause its markets across chains.

Unfortunately Hundred and Agave have both been exploited on Gnosis chain today. Gnosis team is aware, investigation is ongoing.

All the Hundred markets on all chains paused for now.

These are the two transactions:
Hundred https://t.co/mdtViohijn
Agave https://t.co/RKB5MVx0O4

— Hundred Finance (@HundredFinance) March 15, 2022

Stay on top of crypto news, get daily updates in your inbox.





Source: https://decrypt.co/136918/hacker-exploits-hundred-finance-protocol-in-7-4-million-heist

Leave a Reply

Your email address will not be published. Required fields are marked *