Hundred Finance, a multichain lending technology, has suffered a severe security compromise on the Optimism Ethereum layer-2 blockchain. According to the procedure, the total loss was $7.4 million.
On April 15, Hundred Finance announced the exploit, stating that they have contacted hackers and are working with multiple security teams to address the issue. Although the protocol does not specify how the attack was carried out, blockchain security firm CertiK confirmed that it was a flash loan attack:
Flash loan attacks involve hackers borrowing large sums of money from lending protocols through unsecured loans. The hacker then manipulates the asset’s price on a decentralized finance (DeFi) platform with the funds.
According to Certik, in the Hundred situation, the attackers changed the exchange rate between the ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than they had originally invested. “The exchange rate formula is manipulated through the Cash rate,” continues the blockchain security firm. The cash value of an hBTC contract is the amount of WBTC it contains. Attackers manipulate exchange rates by supplying large amounts of WBTC to hToken contracts.”
Certik claims that large loans were taken out when exchange rates were manipulated. Hundred Finance is compiling a post-mortem report on the incident. This attack occurred over a year after Hundred was exposed to another Chain of Gnosis exploit. At that time, hackers used a reentrancy attack to drain all of the protocol’s liquidity, stealing nearly $6 million. Hackers also stole cash from the Agave protocol using the same attack.
Several criminals have been using flash loan attacks to target DeFi protocols since last year. The attacks on Euler Finance ($196 million) and Mango Markets ($46 million) are the most recent examples. While hacker Eulerwhile returns most of the funds, Mango’s thieves are caught by US police.