Optimism hack costs Hundred Finance $7 million

On the Ethereum layer-2 blockchain Optimism, the multichain lending protocol Hundred Finance has suffered a major security breach. According to Twitter protocol, the current amount of losses is $7.4 million.

On April 15, Hundred Finance announced the vulnerability, stating that it had contacted the perpetrator and was coordinating with multiple security teams. Certik, a blockchain security firm, noted that the assault was a flash loan attack, even though the protocol did not disclose how it was executed.

A flash loan assault occurs when a hacker obtains a large sum of money through a flash loan (a form of an unsecured loan) from a lending protocol. Combining it with other techniques, the programmer manipulates the price of an asset on a decentralized finance (DeFi) platform.

According to Certik, the perpetrator manipulated the exchange rate between ERC-20 tokens and hTOKENS in Hundred’s case, enabling them to withdraw more tokens than they had initially deposited.

According to Certik, substantial loans were obtained under the manipulated exchange rate. Regarding the incident, Hundred Finance is compiling a postmortem report. The blockchain security firm continued:

“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”

This attack occurs nearly a year after Hundred was exposed to another Gnosis Chain vulnerability. Using a re-entry attack, the intruder siphoned off all the protocol’s liquidity at that time. More than $6 million were gone. Using the same vulnerability, the intruder seized funds from the Agave Protocol.

Several perpetrators have employed flash loan attacks against DeFi protocols since the previous year. In recent cases, Euler Finance ($196 million) and Mango Markets ($46 million) have been attacked.

While Euler’s breach returned most of the stolen funds, the United States authorities have apprehended the criminal who stole from Mango.