Hundred Finance, a multichain lending protocol, has suffered a security breach on the Ethereum layer-2 blockchain Optimism, resulting in a loss of $7.4 million. The protocol announced the exploit on April 15 and stated it was working with security teams and had contacted the hacker.
According to blockchain security company CertiK, The hack was a flash loan attack, in which a significant sum of money is borrowed from a lending protocol via an uncollateralized loan, and that money is then used to manipulate the price of an asset on a decentralized finance (DeFi) platform.
In this instance, the attacker tricked Hundred Finance into allowing them to withdraw more tokens than they had initially placed by manipulating the exchange rate between ERC-20 tokens and hTOKENS. CertiK explained that the attacker manipulated the exchange rate formula by donating large amounts of WBTC to the hToken contract, causing the exchange rate to go up. As a result, the attacker was able to take out large loans under the manipulated exchange rate.
This is not the first time Hundred Finance has been targeted by attackers. Almost a year ago, the protocol was exposed to another exploit on the Gnosis Chain, where the hacker drained all of the protocol's liquidity through a reentrancy attack and stole over $6 million. In the same exploit, funds were also stolen from the Agave protocol.
Flash loan attacks have become a common method perpetrators use to target DeFi protocols, with recent high-profile cases including attacks against Euler Finance ($196 million) and Mango Markets ($46 million). While Euler Finance's hacker returned most of the funds, and Mango Markets' thief has been arrested by US authorities, the frequency and scale of flash loan attacks highlight the need for robust security measures and constant vigilance in the DeFi space.
Hundred Finance is expected to release a postmortem report on the recent incident to provide further details on the attack and its impact. In the meantime, the DeFi community continues to face ongoing challenges in securing protocols and protecting user funds from malicious actors.
Also, read - Ethereum's Shapella Upgrade Concluded, but Few Validators to Withdraw Staked Ether
