Hundred Finance - REKT 2
Incident Overview
On April 15, 2023, Hundred Finance suffered a $7.4M exploit on the Optimism blockchain. This marked the protocol's second appearance on the REKT leaderboard, bringing their cumulative losses to $16.9M across multiple incidents.
Technical Root Cause
Hundred Finance, a Compound fork utilizing hTokens to track lending positions, contained a critical vulnerability in its exchange rate calculation mechanism. The protocol had deployed two separate wBTC cToken contracts—one actively used by the UI and one empty. The vulnerability stemmed from:
1. Exchange rate manipulation: The getAccountSnapshot function's exchangeRateMantissa calculation relied directly on the WBTC balance within the hWBTC contract
2. Rounding error: The redeemUnderlying function contained a rounding vulnerability that could be exploited
3. Insufficient safeguards: No protection against artificial inflation of exchange rates through token donations
Attack Vector & Exploit Steps
The attacker employed the following methodology:
1. Flashloan initiation: Obtained 500 WBTC from Aave
2. Initial redemption: Called redeem function on previously staked 0.3 WBTC
3. Fund transfer: Attack contract 1 transferred 500.3 WBTC to attack contract 2
4. hWBTC minting: Contract 2 minted 200 hWBTC using 4 BTC
5. Redemption manipulation: Redeemed 4 WBTC while spending minimal hWBTC
6. Exchange rate inflation: Sent 500.3 WBTC directly to hWBTC contract, artificially inflating the exchange rate
7. Borrowing exploitation: Borrowed 1,021.91 ETH using only 2 remaining hWBTC tokens
8. Debt repayment & withdrawal: Repaid debt with 1 hWBTC and withdrew 500.3 WBTC
Per Peckshield: "The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate."
Financial Impact
Direct loss: $7.4M on Optimism
Cumulative REKT record: $16.9M across all Hundred Finance incidents
Token impact: HND token price dropped ~50% on the day following the hack, from ~$0.039 to ~$0.025
Recovered funds: Approximately $5.4M tracked on Ethereum and $0.9M on Optimism at time of reporting
Attacker Information
Address: 0x155da45d374a286d383839b1ef27567a15e67528
Transaction hashes:
0x6e9ebcdebbabda04fa9f2e3bc21ea8b2e4fb4bf4f4670cb8483e2f0b2604f451
0x15096dc6a59cff26e0bd22eaf7e3a60125dcec687580383488b7b5dd2aceea93
Stolen funds were subsequently bridged to Ethereum where they were converted to centralized stablecoins (USDT, USDC) or deposited into Curve.
Response & Remediation
Hundred Finance's response included:
Warning to ecosystem: Advised other COMP forks to audit their code, warning that the vulnerability represented "a general flaw in the code and not specific to Hundred deployment"
Recovery incentive: Announced a $500K reward for information leading to the attacker's identification and fund recovery
On-chain negotiations: Attempted direct communication with the attacker on-chain
Key Takeaway
The incident underscores risks inherent in forked protocols. As noted in the analysis: "Forks upon forks create a house of cards. If the code is copied and pasted, vulnerabilities can open up where they're least expected."