Skip to main content
Security

Hundred Finance Suffers $7.4 Million Flash Loan and Precision Loss Exploit

A rounding error in an hToken contract, combined with low liquidity, enabled an attacker to manipulate exchange rates and drain millions via flash loans.
September 23, 20253 min

The image presents a detailed perspective of complex blue electronic circuit boards interconnected by numerous grey cables. Components like resistors, capacitors, and various integrated circuits are clearly visible across the surfaces of the boards, highlighting their intricate design and manufacturing precision
A central blue circuit board, appearing as a compact processing unit with finned heatsink elements, is heavily encrusted with white frost. It is positioned between multiple parallel silver metallic rods, all set against a background of dark grey circuit board patterns

Briefing

On April 15, 2023, the Hundred Finance lending protocol on the Optimism blockchain was subjected to a sophisticated flash loan attack, resulting in a loss of approximately $7.4 million. This incident leveraged a critical vulnerability stemming from exchange rate manipulation within the hWBTC contract, exacerbated by a rounding error in the redeemUnderlying function and the presence of empty markets. The exploit allowed the attacker to disproportionately inflate the value of hTokens, enabling massive, unauthorized borrowing against minimal collateral. The total financial impact of this event stands at $7.4 million, underscoring the systemic risks associated with precision loss in DeFi protocols.

A striking metallic X-shaped structure, characterized by its dark internal components and polished silver edges, is prominently displayed against a neutral grey backdrop. Dynamic blue and white cloud-like formations emanate and swirl around the structure, creating a sense of motion and energetic flow

Context

Prior to this incident, the DeFi ecosystem, particularly lending protocols forked from established codebases like Compound V2, faced inherent risks from complex smart contract interactions and potential for precision-related vulnerabilities. While Compound V2 itself had undergone audits, the re-deployment of its codebase in various forks often introduced new attack surfaces, especially in markets with low liquidity. The prevailing security posture often underestimated the impact of rounding errors when combined with flash loan capabilities and empty market conditions, leaving protocols susceptible to exchange rate manipulation.

Two futuristic cylindrical white and silver modules, adorned with blue translucent crystalline elements, are depicted in close proximity, revealing complex internal metallic pin arrays. The intricate design of these modules, poised for precise connection, illustrates advanced cross-chain interoperability and protocol integration vital for the next generation of decentralized finance DeFi

Analysis

The attack on Hundred Finance exploited a multi-faceted vulnerability within its hWBTC contract, a fork of Compound V2. The core mechanism involved the attacker utilizing a flash loan to acquire a substantial amount of Wrapped Bitcoin (WBTC). This WBTC was then strategically deposited into an empty hWBTC market, establishing the attacker as the sole hWBTC holder.

By subsequently “donating” a portion of the WBTC to the contract and exploiting a rounding error in the redeemUnderlying function, the attacker drastically manipulated the hWBTC exchange rate. This inflated rate allowed the attacker to borrow a disproportionately large amount of Ether with minimal hWBTC, effectively draining the protocol’s liquidity before repaying the initial flash loan.

The image presents a sophisticated abstract rendering of interconnected mechanical and fluid elements against a gradient grey background. A prominent dark blue, square component with a central cross-design is surrounded by translucent, flowing light blue structures that integrate with other metallic and white ridged parts

Parameters

  • Protocol Targeted ∞ Hundred Finance
  • Attack Vector ∞ Flash Loan, Exchange Rate Manipulation, Precision Loss
  • Financial Impact ∞ $7.4 Million
  • Blockchain Affected ∞ Optimism (Ethereum Layer-2)
  • Vulnerability Type ∞ Rounding Error in redeemUnderlying function, Empty Market Exploitation
  • Date of Incident ∞ April 15, 2023

A highly detailed, metallic blue and silver abstract symbol, shaped like an "X" or plus sign, dominates the frame, encased in a translucent, fluid-like material. Its complex internal circuitry and glowing elements are sharply rendered against a soft, out-of-focus background of cool grey tones

Outlook

Immediate mitigation for users involved with similar Compound V2 forks should include verifying protocol liquidity and the presence of robust oracle systems that prevent exchange rate manipulation. This incident highlights the critical need for comprehensive security audits that specifically address precision loss, especially in low-liquidity markets and across all contract functions, not just the primary logic. Furthermore, it reinforces the importance of continuous monitoring for anomalous exchange rate fluctuations and rapid response mechanisms to pause vulnerable markets. The broader implication is a heightened awareness for all DeFi protocols to implement circuit breakers and dynamic risk parameters that adapt to market conditions and prevent flash loan-enabled exploits.

The Hundred Finance exploit serves as a stark reminder that even well-audited codebases, when forked and deployed under specific market conditions, can harbor critical vulnerabilities, demanding continuous vigilance and adaptive security measures across the DeFi landscape.

Signal Acquired from ∞ ImmuneBytes

Micro Crypto News Feeds

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: