Hundred Finance Hacked for $6.8 Million

Summary

On April 15, 2023, at 2:12 pm UTC, Hundred Finance’s Optimism deployment fell victim to an exploit that drained the platform of all assets in hToken markets. The attacker utilized an integer rounding vulnerability within the hToken contract logic to redeem underlying tokens when a market was empty. The total loss amounted to roughly $6.8 million USD in various cryptocurrencies.

Attackers

The attackers remain unidentified.

Exploiter addresses:

Losses

Totaling around $6.8 million USD. These funds were supplied by 180 individual wallets.

  • 1,030 ETH (~ $2,150,000)
  • 1,265,979 USDC
  • 1,113,431 USDT
  • 865,143 SUSD
  • 842,788 DAI
  • 457,286 FRAX
  • 20,854 SNX (~ $56,000)

Timeline

  • April 14, 2023: The attacker withdrew 10 ETH from Tornado Cash.
  • April 15 2023, 02:12:00 PM +UTC: The attacker exploited the vulnerability and drained the assets.
  • April 15, 2023, 02:37 PM +UTC: The Hundred Finance team announced the hack on Twitter.
  • April 15, 2023, 04:10:47 PM +UTC: The team has sent the first on-chain message to attackers, requesting the return of the funds.
  • April 17, 2023, 04:10 PM: Hundred Finance offered a $500k USD open bounty for information.
  • April 18, 2023, 01:31:59 PM +UTC: The team has sent a second on-chain message to attackers, requesting the return of 90% of the funds within 24 hours.
  • April 23, 2023: Hundred Finance published post-mortem report

Security Failure Causes

  • Smart contract vulnerability: The exploit leveraged an integer rounding vulnerability that had existed since the launch of the Compound v2 code. The vulnerability manifested when a market was empty and allowed for the manipulation of collateral value within the hToken markets.