Price Manipulation Attack on Hundred Finance

Hundred Finance marks yet another entry in our Blockchain Hack Database. On April 15, 2023, the hacker was able to manipulate the exchange rate between ERC-20 tokens and h-tokens on their protocol, allowing them to withdraw more tokens than they had originally deposited. The total estimated loss due to the attack is around $7 million. The details on other hacks, and exploits can be accessed in the exploit analysis section of our blog.

First Attack Transaction
Second Attack Transaction
Attacker’s Address

Assets Held: $6.3 million (at the time of this writing)

On-Chain Transaction Analysis:

  1. OpenChain
  2. Cruise by Supremacy


  • The project setup two wBTC cTokens, one of which was used by the UI, one of which was empty.
  • ExchangeRate Relied on the amount of WBTC in the contract.
  • With a flash loan, the attacker donated a huge amount of WBTC to empty the hWBTC contract → allowed for price manipulation.
  • Also a rounding error in another function of the contract.

Attack Explained:

  1. Attacker took a flash loan of 500 WBTC from Aave.
  2. Huge amount of WBTC gave an opportunity for inflation.
  3. Attacker created a proxy contract, and deposited 4 WBTC to it.
  4. Allowed minting 200 hWBTC.
  5. Redeemed 199.98 WBTC.
  6. Transfer 500.3 WBTC to hWBTC contract.
  7. Price of hWBTC got significantly inflated → allowed borrowing ETH (~ 1021.91 ETH)
  8. Redeem 500 WBTC by only using 1 hWBTC.
  9. Liquidate the attack contract → hWBTC supply dropped to 0.
  10. Repeat the process on other pools for profits.
  11. Repay back the flash loan.

Flow of funds for first attack transaction, Visualization using MetaSleuth by BlockSec.
Tracing the funds transferred by the attacker.

Aftermath of the attack:

  • The team acknowledged the incident via a Twitter post. Announcement reads, ‘it looks like …… ‘ → Third person’s perspective, eh?
  • They further stated that they have sent a message to the hacker, and are in talks with multiple security teams.
  • Estimated loss is ~7m USD.
  • Another post on Twitteradvising’ not to speculate on how the attack was executed. Not sure why such a remark was made.
  • 48 hrs later, and after no communication with the attacker, they issued a $500k reward for information that leads to the attacker’s arrest and the return of all funds.
  • Another public offer as per this post,

Token price dropped by 60% and was found to be recovering.

Neptune Mutual and DeFi Hack:

  1. We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced had there been a dedicated cover pool by Hundred Finance in our marketplace.
  2. At the moment, the marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
  3. Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts.
  4. Payouts can be claimed as soon as an incident is resolved through the incident resolution system.
  5. We have setup two types of cover pools:
  • Diversified Pool
    1. Prime dApps: Aave V2, Balancer V2, Curve Finance V2, Gnosis Safe V1, Maker DAO V1, Synthetix V2, Uniswap V2.
    2. Popular DeFi Apps: 1inch V2, Aave V3, Bancor V3, Compound Finance, Convex Finance, dYdX V3, GMX V1, SushiSwap, Uniswap V3.
  • Dedicated Pool
    1. Binance Exchange Custody
    2. Okx Exchange Custody

Additional Resources:

Attack Reference Sources: PeckShield, Beosin