Hundred Finance is a multi-chain lending protocol. It integrates with Chainlink oracles that feed in prices of the assets to calculate the correct loan-to-collateral ratio. The protocol was first launched in 2021 on Ethereum. The protocol has a native token – HND – its value is now fluctuating near 2-3 cents, according to Coinmarketcap.
In mid-April, Hundred Finance faced what sooner or later happens to anyone working in crypto - a hack. The attack on Hundred Finance was carried out on Optimism – Ethereum's Layer 2 solution.
🚨 We have detected that @HundredFinance on #Optimism has been hacked, resulting in a loss ~1030 ETH (approx US$2.16 mil)
— NumenAlert Ⓝ (@NumenAlert) April 15, 2023
Tx: https://t.co/AoEMqlw4dYhttps://t.co/cv78fLbtC9 https://t.co/EYF9gwWz3k pic.twitter.com/4kUjiNgYUy
The hacker stole about $7 million in cryptocurrencies including ETH, USDC, USDT, SUSD, DAI, FRAX and SNX. According to the Hundred Finance report on this attack, most funds were stolen from the current deployment protocol on Optimism. The rest of the funds, about $50K, were stolen from the previous deployment of the app on the same chain, where funds were awaiting withdrawal by the owners.
The hacker manipulated the price of an unused token on the protocol by exploiting a ‘donate’ command on one of the smart contracts. Because this smart contract was not designed to be used with the protocol vaults, the exchange rate on this particular token was miscalculated, and the hacker drained the funds with the use of that abnormal exchange rate and flash loans. It is not the first time ‘donations’ are used to break the protocols. For example, Euler Finance has recentrly suffered from a similar attack.
Interestingly, the hacker had anonymized the initial funds used in the creation of the vaults with the Tornado cash mixer.
A detailed step-by-step attack scheme is described in the Hundred Finance report. They also report that the vulnerability exploited by the hacker has been around for a long time.
“This vulnerability has existed in the Compound v2 code since its launch despite multiple audits, presenting itself when markets are launched with a collateral value in place but no depositors or following markets becoming empty due to user withdrawal post-launch.”
Hundred Finance suspended all markets on all chains and tried to contact the hacker. But, the attacker did not get in touch, despite the bug bounty offer of 10% of the stolen amount. Not waiting for a response from the hacker, Hundred Finance turned to law enforcement bodies. Also, the protocol team stated that the funds would be returned to the victims of the attack immediately after law enforcement could return them.
After so many similar schemes it is interesting to Observe whether so-called code auditors and security analysts will check the donation functionality of their protocols.
