On 15 April 2023 at 02:12:00 PM +UTC, Hundred Finance, a multi-chain lending protocol, was hacked on the Optimism layer-2 blockchain on Ethereum, resulting in a loss of approximately $7 million.
Hundred Finance has acknowledged the hack and stated that they are currently in discussions with various security teams. Additionally, they have attempted to contact the hackers and are hopeful that a mutually agreeable solution can be reached to address the situation.
Based on the call stack analysis, the attack on Hundred Finance followed this sequence of events:
- The attacker initiated a flashloan function through Aave to borrow 500 WBTC.
- The attacker noticed that HWBTC had no current lending activity, except for their own previous operation.
- The attacker redeemed their previously deposited WBTC, causing HWBTC’s total supply to drop to 0.
- Next, the attacker created a minimal proxy contract, deposited 4 WBTC, and calculated that it would result in 200 HWBTC.
- The attacker then continued to redeem the WBTC until they had only 2 wei remaining.
- At this point, the attacker had 500 WBTC and 2 wei HWBTC in their created contract.
- The attacker transferred the 500 WBTC to the pool, which increased the price of HWBTC, allowing them to borrow a significant amount of ETH.
- The attacker borrowed ETH, and because the contract’s Solidity version was 0.5.16, a calculation library was introduced to prevent overflow during calculations, which caused the redemption of 500 WBTC to only require 1 wei HWBTC.
- Lastly, the attacker liquidated themselves, which caused HWBTC’s total supply to become 0 again, and then proceeded to repeat the process to attack other lending pools.
An analysis of the code shows that the contract code is largely derived from Compound’s codebase. The primary issue is that there were no borrowers for HWBTC assets on the Hundred Finance platform. As a result, the attacker was able to manipulate the total supply of HWBTC. The attack involved transferring assets to the pool, where a small total supply corresponded to a large amount of underlying assets. This caused the price of hToken to increase, improving the borrower’s borrowing power.
Upon comparing Hundred Finance’s code with Compound’s code, it appears that the observed behavior is consistent with normal logic, and the exchange rate did in fact increase. The subsequent calculations support this conclusion:
The code calculations mentioned above are accurate and valid. Additionally, it should be noted that the Ethereum Virtual Machine (EVM) does not support floating-point numbers and instead uses rounding down as its default method of calculation.
As a result of the rounding down performed during the calculations, only 1 wei of HWBTC was actually needed during the redemption process, despite the initial expectation of requiring 2 wei.
The attack was successful due to two primary factors: firstly, the lack of lending activities involving HWBTC allowed the attacker to manipulate the total supply of HWBTC; and secondly, the calculation issue previously mentioned also contributed to the attacker’s success.
Hundred Finance has released a statement advising against speculation on how the attack was executed and has stated that their team is currently preparing a post-mortem report. Their main focus at the moment is to establish communication with the hacker and reach a mutually agreeable resolution. Simultaneously, they are gathering all available information to be prepared for any potential next steps.
They have also requested that anyone affected by the hack and located in the United States, specifically New York, to reach out to them through direct message on their social media account or via their team members on Discord.
Recent events have shown that hacks and security breaches have become increasingly rampant in the cryptocurrency industry. As such, it is crucial for projects and platforms to implement strict security measures to safeguard their assets and users. This includes conducting comprehensive security audits, regularly scanning for vulnerabilities, and enforcing best practices for safe coding and smart contract development.
Transparency and swift action are crucial when dealing with security incidents, and projects must prioritize them in order to mitigate the impact and prevent future attacks. In this regard, Hundred Finance has demonstrated responsible behavior by keeping its users and investors informed of any updates regarding the attack.