Hundred Finance marks yet another entry in our Blockchain Hack Database. On April 15, 2023, the hacker was able to manipulate the exchange rate between ERC-20 tokens and h-tokens on their protocol, allowing them to withdraw more tokens than they had originally deposited. The total estimated loss due to the attack is around $7 million. The details on other hacks, and exploits can be accessed in the exploit analysis section of our blog.
First Attack Transaction
Second Attack Transaction
Attacker’s Address
Assets Held: $6.3 million (at the time of this writing)
On-Chain Transaction Analysis:
Cause:
- The project setup two wBTC cTokens, one of which was used by the UI, one of which was empty.
- ExchangeRate Relied on the amount of WBTC in the contract.
- With a flash loan, the attacker donated a huge amount of WBTC to empty the hWBTC contract → allowed for price manipulation.
- Also a rounding error in another function of the contract.
Attack Explained:
- Attacker took a flash loan of 500 WBTC from Aave.
- Huge amount of WBTC gave an opportunity for inflation.
- Attacker created a proxy contract, and deposited 4 WBTC to it.
- Allowed minting 200 hWBTC.
- Redeemed 199.98 WBTC.
- Transfer 500.3 WBTC to hWBTC contract.
- Price of hWBTC got significantly inflated → allowed borrowing ETH (~ 1021.91 ETH)
- Redeem 500 WBTC by only using 1 hWBTC.
- Liquidate the attack contract → hWBTC supply dropped to 0.
- Repeat the process on other pools for profits.
- Repay back the flash loan.
Flow of funds for first attack transaction, Visualization using MetaSleuth by BlockSec.
Tracing the funds transferred by the attacker.
Aftermath of the attack:
- The team acknowledged the incident via a Twitter post. Announcement reads, ‘it looks like …… ‘ → Third person’s perspective, eh?
- They further stated that they have sent a message to the hacker, and are in talks with multiple security teams.
- Estimated loss is ~7m USD.
- Another post on Twitter ‘advising’ not to speculate on how the attack was executed. Not sure why such a remark was made.
- 48 hrs later, and after no communication with the attacker, they issued a $500k reward for information that leads to the attacker’s arrest and the return of all funds.
- Another public offer as per this post,
- Return 90% of the funds before April 19, and keep 10% as a white hack bounty.
- No charges post the return of funds.
- The details of the tokens to transfer, and the receiving treasury address.
- Share the details of the bounty that can be held back.
Token price dropped by 60% and was found to be recovering.
Neptune Mutual and DeFi Hack:
- We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced had there been a dedicated cover pool by Hundred Finance in our marketplace.
- At the moment, the marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
- Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts.
- Payouts can be claimed as soon as an incident is resolved through the incident resolution system.
- We have setup two types of cover pools:
-
Diversified Pool
- Prime dApps: Aave V2, Balancer V2, Curve Finance V2, Gnosis Safe V1, Maker DAO V1, Synthetix V2, Uniswap V2.
- Popular DeFi Apps: 1inch V2, Aave V3, Bancor V3, Compound Finance, Convex Finance, dYdX V3, GMX V1, SushiSwap, Uniswap V3.
-
Dedicated Pool
- Binance Exchange Custody
- Okx Exchange Custody
Additional Resources:
- Understanding Underwriting Capital: Not all pools are alike
- The Neptune Mutual Ecosystem
- Bootstrapping Liquidity Pools & DeFi Insurance
Attack Reference Sources: PeckShield, Beosin