The multichain lending system Hundred Finance suffered a $7.4 million loss as a result of a flash loan assault on the Ethereum layer-2 blockchain Optimism.
- A severe security flaw on the Ethereum layer-2 blockchain Optimism to a loss of $7.4 million for Hundred Finance, a multichain lending platform.
- To extract more tokens than they initially placed, the attacker most likely used a flash loan attack, which involves manipulating the rate at which ERC-20 tokens and hTOKENS exchange.
Background
Another major security flaw has been discovered in the multichain lending technology Hundred Finance, this time on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses total $7.4 million. Since the attack occurred on April 15, Hundred Finance has been cooperating with several security teams to investigate and contain it. The decentralized finance (DeFi) protocol did not specify how the hack happened. Still, blockchain security company CertiK believes it was a flash loan attack, a frequent form of exploit employed in DeFi attacks.
What happened in the attack?
In flash loan attacks, a hacker borrows a sizable number of unsecured loans from a lending protocol. The attacker then uses the money to influence an asset’s pricing on a DeFi platform. In this instance, the attacker of Hundred Finance could withdraw more tokens than they had initially placed by manipulating the rate at which ERC-20 tokens and hTOKENS are exchanged. According to reports, the hacker changed the conversion rate formula by changing the cash value. Cash represents the amount of WBTC that the hBTC contract currently holds and increases the exchange rate. The attacker made substantial WBTC donations to the token contract. $7.4 million was lost due to significant loans being taken out at the inflated currency rate.
The aftermath of the attack
The security teams and Hundred Finance have been working together to investigate the incident and produce a postmortem report. The attack’s hacker had conversations with the protocol as well. The second notable security lapse for Hundred Finance is this one. The protocol was susceptible to a second Gnosis Chain problem the previous year, which allowed a hacker to drain its liquidity entirely through a reentrancy attack, costing $6 million. The hacker also took money from the Agave protocol during the same episode.
Flash loan attacks in DeFi
Attackers use flash loan assaults, a popular form of exploit in the DeFi domain, to take advantage of holes in lending protocols. Recent attacks on many well-known DeFi protocols have cost millions of dollars in losses. An attack on Euler Finance last month resulted in a $196 million loss. The protocol recovered when the attacker refunded most of the money. Last month’s attack also had Mango Markets as a target; as a result, $46 million was lost. However, the attack’s perpetrator has been detained by US police.
Conclusion
Attacks against the DeFi industry have increased over the past year, with flash loan attacks becoming a popular way for hackers to take advantage of holes in lending standards. The most recent attack on Hundred Finance serves as a reminder of the value of protecting DeFi protocols and proactively preventing attacks. DeFi presents many prospects for financial innovation and equality, but it also exposes consumers to hazards, so it’s important to be alert and knowledgeable. Security will continue to be a primary concern for protocols, investors, and users alike as the DeFi market expands and changes.
