Hundred Finance loses $7 million in Optimism hack

Multichain lending protocol Hundred Finance has skilled a major safety breach on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses sit at $7.4 million.

Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with varied safety groups on the incident. Though the protocol didn’t reveal how the assault was executed, blockchain safety agency CertiK mentioned it was a flash mortgage assault:

#CertiKSkynetAlert @HundredFinance’s attacker manipulated the trade charge between ERC-20 tokens and htokens which allowed them to withdraw extra tokens than that they had initially deposited. The estimated losses of this assault is round $7.4 million.

Keep vigilant! https://t.co/1hxAnFoNjj

— CertiK Alert (@CertiKAlert) April 15, 2023

Flash mortgage assaults contain a hacker borrowing a considerable amount of funds by way of a kind of uncollateralized mortgage from a lending protocol. The hacker then makes use of these funds to control the value of an asset on a decentralized finance (DeFi) platform. 

In Hundred’s case, the attacker manipulated the trade charge between ERC-20 tokens and hTOKENS, permitting them to withdraw extra tokens than initially deposited, in accordance with Certik. The blockchain safety agency continued:

“The trade charge system was manipulated by means of Money worth. Money is the quantity of WBTC that the hBTC contract has. The attacker manipulated it by donating massive quantities of WBTC to the hToken contract in order that the trade charge goes up.”

Certik says that enormous loans have been taken out beneath the manipulated trade charge. Hundred Finance was getting ready a postmortem report on the incident.

This assault comes virtually almost 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At the moment, the hacker drained the entire protocol’s liquidity by means of a reentrancy assault, taking up $6 million. In the identical exploit, the hacker additionally stole funds from the Agave protocol.

Since final 12 months, quite a few perpetrators have used flash mortgage assaults to focus on DeFi protocols. Latest instances embody assaults towards Euler Finance ($196 million) and Mango Markets ($46 million). Eulerwhile ’s hacker returned most of the funds, Mango’s thief has been arrested by United States authorities.

Journal: Should crypto projects ever negotiate with hackers? Probably