Security

Hundred Finance Suffers $7.4 Million Flash Loan and Precision Loss Exploit

A rounding error in an hToken contract, combined with low liquidity, enabled an attacker to manipulate exchange rates and drain millions via flash loans.
September 23, 20253 min

A transparent, faceted object with a metallic base and glowing blue internal structures is prominently featured, set against a blurred background of similar high-tech components. The intricate design suggests a sophisticated processing unit or sensor, with the blue light indicating active data or energy flow
A highly detailed, metallic blue and silver abstract symbol, shaped like an "X" or plus sign, dominates the frame, encased in a translucent, fluid-like material. Its complex internal circuitry and glowing elements are sharply rendered against a soft, out-of-focus background of cool grey tones

Briefing

On April 15, 2023, the Hundred Finance lending protocol on the Optimism blockchain was subjected to a sophisticated flash loan attack, resulting in a loss of approximately $7.4 million. This incident leveraged a critical vulnerability stemming from exchange rate manipulation within the hWBTC contract, exacerbated by a rounding error in the redeemUnderlying function and the presence of empty markets. The exploit allowed the attacker to disproportionately inflate the value of hTokens, enabling massive, unauthorized borrowing against minimal collateral. The total financial impact of this event stands at $7.4 million, underscoring the systemic risks associated with precision loss in DeFi protocols.

Intricate metallic components, akin to precision-engineered shafts and gears, are immersed and surrounded by a vibrant, translucent blue liquid against a soft grey background. This composition visually interprets the complex blockchain architecture and its underlying cryptographic primitives

Context

Prior to this incident, the DeFi ecosystem, particularly lending protocols forked from established codebases like Compound V2, faced inherent risks from complex smart contract interactions and potential for precision-related vulnerabilities. While Compound V2 itself had undergone audits, the re-deployment of its codebase in various forks often introduced new attack surfaces, especially in markets with low liquidity. The prevailing security posture often underestimated the impact of rounding errors when combined with flash loan capabilities and empty market conditions, leaving protocols susceptible to exchange rate manipulation.

A dynamic blue liquid splash emerges from a sophisticated digital interface displaying vibrant blue data visualizations. The background reveals intricate metallic structures, suggesting a robust hardware component or network node

Analysis

The attack on Hundred Finance exploited a multi-faceted vulnerability within its hWBTC contract, a fork of Compound V2. The core mechanism involved the attacker utilizing a flash loan to acquire a substantial amount of Wrapped Bitcoin (WBTC). This WBTC was then strategically deposited into an empty hWBTC market, establishing the attacker as the sole hWBTC holder.

By subsequently “donating” a portion of the WBTC to the contract and exploiting a rounding error in the redeemUnderlying function, the attacker drastically manipulated the hWBTC exchange rate. This inflated rate allowed the attacker to borrow a disproportionately large amount of Ether with minimal hWBTC, effectively draining the protocol’s liquidity before repaying the initial flash loan.

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Parameters

  • Protocol Targeted → Hundred Finance
  • Attack Vector → Flash Loan, Exchange Rate Manipulation, Precision Loss
  • Financial Impact → $7.4 Million
  • Blockchain Affected → Optimism (Ethereum Layer-2)
  • Vulnerability Type → Rounding Error in redeemUnderlying function, Empty Market Exploitation
  • Date of Incident → April 15, 2023

The close-up reveals a complex, highly detailed mechanical apparatus, primarily rendered in a striking metallic blue, accented by black and silver components. Gears, bolts, and various interconnecting parts are sharply in focus, illustrating a sophisticated engineered system

Outlook

Immediate mitigation for users involved with similar Compound V2 forks should include verifying protocol liquidity and the presence of robust oracle systems that prevent exchange rate manipulation. This incident highlights the critical need for comprehensive security audits that specifically address precision loss, especially in low-liquidity markets and across all contract functions, not just the primary logic. Furthermore, it reinforces the importance of continuous monitoring for anomalous exchange rate fluctuations and rapid response mechanisms to pause vulnerable markets. The broader implication is a heightened awareness for all DeFi protocols to implement circuit breakers and dynamic risk parameters that adapt to market conditions and prevent flash loan-enabled exploits.

The Hundred Finance exploit serves as a stark reminder that even well-audited codebases, when forked and deployed under specific market conditions, can harbor critical vulnerabilities, demanding continuous vigilance and adaptive security measures across the DeFi landscape.

Signal Acquired from → ImmuneBytes

Micro Crypto News Feeds

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: