Security

Hundred Finance Suffers $7.4 Million Flash Loan and Precision Loss Exploit

A rounding error in an hToken contract, combined with low liquidity, enabled an attacker to manipulate exchange rates and drain millions via flash loans.
September 23, 20253 min

A white, spherical technological core with intricate paneling and a dark central aperture anchors a dynamic, radially expanding composition. Surrounding this central element, blue translucent blocks, metallic linear structures, and irregular white cloud-like masses radiate outwards, imbued with significant motion blur
A dynamic blue liquid splash emerges from a sophisticated digital interface displaying vibrant blue data visualizations. The background reveals intricate metallic structures, suggesting a robust hardware component or network node

Briefing

On April 15, 2023, the Hundred Finance lending protocol on the Optimism blockchain was subjected to a sophisticated flash loan attack, resulting in a loss of approximately $7.4 million. This incident leveraged a critical vulnerability stemming from exchange rate manipulation within the hWBTC contract, exacerbated by a rounding error in the redeemUnderlying function and the presence of empty markets. The exploit allowed the attacker to disproportionately inflate the value of hTokens, enabling massive, unauthorized borrowing against minimal collateral. The total financial impact of this event stands at $7.4 million, underscoring the systemic risks associated with precision loss in DeFi protocols.

A detailed 3D render showcases a futuristic blue transparent X-shaped processing chamber, actively filled with illuminated white granular particles, flanked by metallic cylindrical components. The intricate structure highlights a complex operational core, possibly a decentralized processing unit

Context

Prior to this incident, the DeFi ecosystem, particularly lending protocols forked from established codebases like Compound V2, faced inherent risks from complex smart contract interactions and potential for precision-related vulnerabilities. While Compound V2 itself had undergone audits, the re-deployment of its codebase in various forks often introduced new attack surfaces, especially in markets with low liquidity. The prevailing security posture often underestimated the impact of rounding errors when combined with flash loan capabilities and empty market conditions, leaving protocols susceptible to exchange rate manipulation.

The image displays a detailed, close-up perspective of a complex electronic circuit board, featuring a prominent central processor unit. Its metallic silver surface is intricately designed with numerous pathways and components, highlighted by glowing blue elements within its core and surrounding infrastructure

Analysis

The attack on Hundred Finance exploited a multi-faceted vulnerability within its hWBTC contract, a fork of Compound V2. The core mechanism involved the attacker utilizing a flash loan to acquire a substantial amount of Wrapped Bitcoin (WBTC). This WBTC was then strategically deposited into an empty hWBTC market, establishing the attacker as the sole hWBTC holder.

By subsequently “donating” a portion of the WBTC to the contract and exploiting a rounding error in the redeemUnderlying function, the attacker drastically manipulated the hWBTC exchange rate. This inflated rate allowed the attacker to borrow a disproportionately large amount of Ether with minimal hWBTC, effectively draining the protocol’s liquidity before repaying the initial flash loan.

The image showcases a detailed close-up of a vibrant blue, rectangular crystalline component embedded within a sophisticated metallic device. Fine, white frosty particles are visible along the edges of the blue component, with a metallic Y-shaped structure positioned centrally

Parameters

  • Protocol Targeted → Hundred Finance
  • Attack Vector → Flash Loan, Exchange Rate Manipulation, Precision Loss
  • Financial Impact → $7.4 Million
  • Blockchain Affected → Optimism (Ethereum Layer-2)
  • Vulnerability Type → Rounding Error in redeemUnderlying function, Empty Market Exploitation
  • Date of Incident → April 15, 2023

A high-resolution, abstract rendering showcases a central, metallic lens-like mechanism surrounded by swirling, translucent blue liquid and structured conduits. This intricate core is enveloped by a thick, frothy layer of white bubbles, creating a dynamic visual contrast

Outlook

Immediate mitigation for users involved with similar Compound V2 forks should include verifying protocol liquidity and the presence of robust oracle systems that prevent exchange rate manipulation. This incident highlights the critical need for comprehensive security audits that specifically address precision loss, especially in low-liquidity markets and across all contract functions, not just the primary logic. Furthermore, it reinforces the importance of continuous monitoring for anomalous exchange rate fluctuations and rapid response mechanisms to pause vulnerable markets. The broader implication is a heightened awareness for all DeFi protocols to implement circuit breakers and dynamic risk parameters that adapt to market conditions and prevent flash loan-enabled exploits.

The Hundred Finance exploit serves as a stark reminder that even well-audited codebases, when forked and deployed under specific market conditions, can harbor critical vulnerabilities, demanding continuous vigilance and adaptive security measures across the DeFi landscape.

Signal Acquired from → ImmuneBytes

Micro Crypto News Feeds

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: