Multichain lending protocol Hundred Finance has skilled a major safety breach on the Ethereum layer-2 blockchain Optimism. In accordance with the protocol on Twitter, the losses sit at $7.4 million.
Hundred Finance introduced the exploit on April 15, saying it had contacted the hacker and was working with numerous safety groups on the incident. Though the protocol did not reveal how the assault was executed, blockchain safety agency Certik famous that it was a flash mortgage assault:
#CertiKSkynetAlert @HundredFinance’s attacker manipulated the trade charge between ERC-20 tokens and htokens which allowed them to withdraw extra tokens than they’d initially deposited. The estimated losses of this assault is round $7.4 million.
Keep vigilant! https://t.co/1hxAnFoNjj
— CertiK Alert (@CertiKAlert) April 15, 2023
Flash mortgage assaults happen when a hacker borrows a considerable amount of funds by way of a flash mortgage (a kind of uncollateralized mortgage) from a lending protocol. The hacker then combines it with different strategies to govern the worth of an asset on a decentralized finance (DeFi) platform.
In Hundred’s case, the attacker manipulated the trade charge between ERC-20 tokens and hTOKENS, permitting them to withdraw extra tokens than initially deposited, based on Certik. The blockchain safety agency continued:
“The trade charge method was manipulated by means of Money worth. Money is the quantity of WBTC that the hBTC contract has. The attacker manipulated it by donating massive quantities of WBTC to the hToken contract in order that the trade charge goes up.”
Certik says that enormous loans have been taken out beneath the manipulated trade charge. Hundred Finance is getting ready a postmortem report on the incident.
This assault comes nearly practically 12 months after Hundred was uncovered to a different exploit on the Gnosis Chain. At the moment, the hacker drained all of the protocol’s liquidity by means of a re-entrancy assault. Over $6 million was misplaced. In the identical exploit, the hacker additionally stole funds from the Agave protocol.
Since final 12 months, plenty of perpetrators have used flash mortgage assaults to focus on DeFi protocols. Latest circumstances embrace assaults in opposition to Euler Finance ($196 million) and Mango Markets ($46 million). Whereas Euler’s hack returned a lot of the funds, Mango’s thief has been arrested by United States authorities.
Journal: Ought to crypto initiatives ever negotiate with hackers? In all probability
