On April 15, the DeFi platform Hundred Finance confirmed that it had been hacked, resulting in a loss of $7.4 million. The platform, a branch of the popular Compound protocol that has been deployed on several blockchains, reported that the hacker had been contacted and was working with various security teams to resolve the issue. The protocol also urged anyone with information to come forward and assist with the investigation.
Estimated current loss is ~7m USD.
Once again we hope the hacker will reach out back to us and we will be able to find a joint solution to resolve this matter. 🙏
Thank you everyone for your support and help during these difficult times. ❤️ https://t.co/wLGAl4AAGA
— Hundred Finance (@HundredFinance) April 15, 2023
According to blockchain security firms Peckshield and Certik, the hacker was able to steal the funds by manipulating the exchange rate between ERC-20 tokens and htokens. The attacker donated a large amount of Wrapped Bitcoin (WBTC) to the htoken contract, causing the exchange rate to rise. The hacker then capitalized on this rate to take a large borrow position under the new exchange rate and redeemed the initial amount they deposited. This allowed them to drain the lending pools with a tiny amount of hWBTC.
This is not the first time that Hundred Finance has been hacked. In 2022, the platform was exploited in a reentrancy attack on Gnosis Chain and Agave. The two platforms lost $11 million at the time. These incidents highlight the need for better security measures and stronger protocols in the DeFi space.
The Hundred Finance team advised its community to stop speculating on how the attack happened and instead focus on contacting the attacker and reaching an agreement. While it is commendable that the platform attempts to resolve the issue through discussions with the attacker, it is unclear whether this approach will succeed. It is also important for Hundred Finance to implement stronger security measures to prevent future attacks.
The DeFi space has seen a surge in popularity in recent years, but it is still an evolving industry. As such, it is vulnerable to hacks and exploits. It is essential for DeFi protocols to prioritize security measures and work with experts to identify and mitigate potential vulnerabilities. The Hundred Finance hack serves as a reminder that even established protocols are not immune to attacks and that the industry needs to continue to innovate and improve to protect users’ funds.