April 20th, 2023
In April 2023, Hundred Finance suffered a hack for $7.4 million. The attacker performed a flashloan attack to manipulate token exchange rates and drain value from the protocol.
When Hundred Finance set up its WTC hTokens contracts, it set up two of them. One of these contracts was used by the normal protocol and accessible via the Hundred Finance UI while the other was unused and empty.
The attacker took advantage of this empty contract, donating value to it to change the exchange rate between WTC and hWTC. By manipulating the exchange rate, the attacker was able to drain all value from the contract. The attack was exacerbated by the fact that the function for redeeming underlying value also contained a rounding error.
In the end, the attacker was able to manipulate the exchange rate so far that a tiny amount of hWBTC was equivalent to everything deposited in the contract’s lending pools. This allowed the attacker to drain $7.4 million from the contract.
The Hundred Finance hack was a fork of Compound. The vulnerability exploited by the attacker was part of this forked code rather than something unique to the protocol.
This hack highlighted the risks of copy-pasting code from third parties. When vulnerabilities are discovered in one protocol, all related functions are potentially vulnerable as well.
The Hundred Finance hack demonstrated the importance of security reviews of smart contract code and deployment processes. For more information, reach out to our Web3 security experts here.