HUNDRED FINANCE - April 15, 2023


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Hundred Finance, a prominent entity in the decentralized finance (DeFi) space, facilitates borrowing and lending of cryptocurrencies. It emerged from the DeFi boom of 2020, allowing users to leverage their crypto assets to earn yield and borrow assets in a secure and efficient manner. The platform is built to function seamlessly in a multi-chain environment, highlighting its adaptability in the rapidly evolving crypto landscape. It first launched for testing on Ethereum’s Kovan testnet in mid-2021, and following successful trials, it was launched on the Ethereum mainnet.

    Hack Impact

    On April 15th, 2023, Hundred Finance was hacked, resulting in a loss of approximately $7.4 million USD in various cryptocurrencies. The attacker exploited an integer rounding vulnerability in the platform's contract logic when a market was empty. The attack affected 180 individual wallets. In response to the hack, Hundred Finance paused markets, alerted the community, began tracking the hacker, and issued a $500k USD open bounty for information leading to the hacker's arrest and the return of all funds.

    Step 1: Using Flashloan

    Firstly, the attacker took advantage of a feature called 'Flashloan'. Flashloans are unique to blockchain and allow a user to borrow a large amount of assets with zero upfront collateral, but with the caveat that they must return it within the same transaction. The attacker successfully initiated a flashloan to borrow 500 WBTC (Wrapped Bitcoin).

    Step 2: Minting and Exploiting Empty Pool

    Upon observing that the hWBTC lending pool was devoid of activity (no one was lending or borrowing), the attacker saw an opportunity. They deposited the borrowed WBTC into the empty hWBTC pool, 'minting' hWBTC tokens in the process.

    Step 3: Manipulating Exchange Rate

    With the hWBTC tokens in hand, the attacker cleverly exploited the protocol's exchange rate function. They deposited 4 WBTC into a custom-crafted smart contract and received an inflated amount of hWBTC tokens in return. Why? Because the exchange rate was abnormally high due to the fact that the hWBTC pool was previously empty.

    Step 4: Inflating Collateral Value

    Next, the attacker returned 500 WBTC to the original hWBTC pool, causing a dramatic surge in the value of hWBTC tokens. Since they were the only ones holding hWBTC, this effectively inflated their collateral value in the pool.

    Step 5: Borrowing More Assets

    The attacker capitalized on this artificial collateral value and borrowed 1021.91 ETH. This was a considerable sum of ETH, borrowed at a significantly lower cost than it should have been. The key to this step was the manipulation of the exchange rate and collateral value in the previous steps.

    Step 6: Covering Tracks and Making Profit

    Finally, the attacker repaid the initial flashloan with a tiny fraction of the borrowed ETH, keeping the majority of the assets. This was all done in a single transaction, thus satisfying the flashloan's conditions and avoiding any trace of debt.

    This clever yet malicious exploit hinges on a specific vulnerability in the redeemUnderlying function of the protocol’s smart contract. This function had an integer rounding error that presented itself when a market was empty, a condition the attacker used to their advantage.

    Transaction Analysis

    Exploiter's Address: 0x155da45d374a286d383839b1ef27567a15e67528

    This is the address used by the attacker to execute the exploit and receive the stolen WBTC and ETH. By examining the transaction history of this address, we can trace the steps taken by the attacker, including the preparation for the exploit and the subsequent token swaps.

    Hack Transactions: 0x6e9ebcde... and 0x15096dc6...

    These transactions reveal how the attacker used to manipulate the exchange rate and redeem more tokens than initially deposited. The transactions expose that the attacker flashloaned 500 WBTC, donated large amounts of WBTC to manipulate the exchange rate and withdraw 1021.91 ETH and 500.3 WBTC.

    Drained WBTC and ETH:

    Following the successful exploit of Hundred Finance, the attacker drained 500.3 WBTC and 1021.91 ETH to their address. They then bridged most of the stolen funds to ETH where they were swapped for USDT and USDC, or deposited into Curve. The swap contributed to the temporary crash in the HND token price, which dropped around 50% following the exploit. At the time of writing, the hacker’s debank profile showed approximately $5.4M of assets on Ethereum and $0.9M remaining on Optimism.

    Funds Flow


    The exploit in Hundred Finance's smart contract underscores the critical importance of robust security practices in the development and deployment of such contracts. Vulnerabilities can lead to significant losses and shake trust in the platform. By conducting rigorous testing, adopting secure coding practices, and enlisting the services of external auditing firms like BlockApex, developers can greatly enhance the security of their smart contracts, protect users' funds, and maintain the integrity of their platforms.

    Ultimately, security is not a one-time activity but an ongoing process of continuous improvement and adaptation to emerging threats. It's crucial to stay informed about the latest developments in smart contract security and to update and improve security practices accordingly.

    Also read, Hack Analysis of Dexible.

    More Hack Analysis

    DEUS DAO - May 6, 2023

    The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

    Kokomo Finance - Hack Analysis (March 27, 2023)

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

    Orion Protocol - February 4, 2023

    The attackers exploited a reentrancy vulnerability in the Orion Protocol's core contract, ExchangeWithOrionPool, by constructing a fake token (ATK) with self-destruct capability that led to the transfer() function.

    Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

    On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.

    ZUNAMI - Hack Analysis

    Zunami is a decentralized protocol operating in the Web3 space, specializing in issuing aggregated stablecoins like UZD and zETH. These stablecoins are generated from omnipools that employ various profit-generating strategies. Recently, the protocol was exploited, resulting in a loss of $2.1M.

    LEVEL FINANCE - May 2, 2023

    The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms.

    Cream Finance Hack: What Motivates Hackers to Return Stolen Funds?

    From an outsider’s perspective, returning millions of dollars worth of funds after successfully pulling off a complicated exploit is, at best, admirable, and at worst, foolish. What could be the motivation behind such a decision?

    BonqDAO - February 3, 2023

    The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.

    DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

    On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023