Multichain lending protocol Hundred Finance has skilled a big safety breach on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses sit at $7.4 million.
Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with numerous safety groups on the incident. Though the protocol didn’t reveal how the assault was executed, blockchain safety agency CertiK mentioned it was a flash mortgage assault:
#CertiKSkynetAlert @HundredFinance’s attacker manipulated the alternate price between ERC-20 tokens and htokens which allowed them to withdraw extra tokens than that they had initially deposited. The estimated losses of this assault is round $7.4 million.
Keep vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
Flash mortgage assaults contain a hacker borrowing a considerable amount of funds by way of a sort of uncollateralized mortgage from a lending protocol. The hacker then makes use of these funds to govern the worth of an asset on a decentralized finance (DeFi) platform.
In Hundred’s case, the attacker manipulated the alternate price between ERC-20 tokens and hTOKENS, permitting them to withdraw extra tokens than initially deposited, in accordance with Certik. The blockchain safety agency continued:
“The alternate price system was manipulated by way of Money worth. Money is the quantity of WBTC that the hBTC contract has. The attacker manipulated it by donating massive quantities of WBTC to the hToken contract in order that the alternate price goes up.”
Certik says that enormous loans had been taken out beneath the manipulated alternate price. Hundred Finance was getting ready a postmortem report on the incident.
This assault comes virtually practically 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At the moment, the hacker drained all the protocol’s liquidity by way of a reentrancy assault, taking on $6 million. In the identical exploit, the hacker additionally stole funds from the Agave protocol.
Since final 12 months, numerous perpetrators have used flash mortgage assaults to focus on DeFi protocols. Latest circumstances embrace assaults in opposition to Euler Finance ($196 million) and Mango Markets ($46 million). Eulerwhile ’s hacker returned most of the funds, Mango’s thief has been arrested by United States authorities.
Journal: Should crypto projects ever negotiate with hackers? Probably