Security

Hundred Finance Suffers $7.4 Million Flash Loan and Precision Loss Exploit

A rounding error in an hToken contract, combined with low liquidity, enabled an attacker to manipulate exchange rates and drain millions via flash loans.
September 23, 20253 min

The detailed composition showcases an open mechanical watch movement, its metallic components and precise gear train clearly visible. A substantial blue structure, adorned with intricate circuit-like patterns, connects to the watch, with a metallic arm extending into its core
A sophisticated, transparent blue and metallic device features a central white, textured spherical component precisely engaged by a fine transparent tube. Visible through the clear casing are intricate internal mechanisms, highlighting advanced engineering

Briefing

On April 15, 2023, the Hundred Finance lending protocol on the Optimism blockchain was subjected to a sophisticated flash loan attack, resulting in a loss of approximately $7.4 million. This incident leveraged a critical vulnerability stemming from exchange rate manipulation within the hWBTC contract, exacerbated by a rounding error in the redeemUnderlying function and the presence of empty markets. The exploit allowed the attacker to disproportionately inflate the value of hTokens, enabling massive, unauthorized borrowing against minimal collateral. The total financial impact of this event stands at $7.4 million, underscoring the systemic risks associated with precision loss in DeFi protocols.

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Context

Prior to this incident, the DeFi ecosystem, particularly lending protocols forked from established codebases like Compound V2, faced inherent risks from complex smart contract interactions and potential for precision-related vulnerabilities. While Compound V2 itself had undergone audits, the re-deployment of its codebase in various forks often introduced new attack surfaces, especially in markets with low liquidity. The prevailing security posture often underestimated the impact of rounding errors when combined with flash loan capabilities and empty market conditions, leaving protocols susceptible to exchange rate manipulation.

A white, spherical technological core with intricate paneling and a dark central aperture anchors a dynamic, radially expanding composition. Surrounding this central element, blue translucent blocks, metallic linear structures, and irregular white cloud-like masses radiate outwards, imbued with significant motion blur

Analysis

The attack on Hundred Finance exploited a multi-faceted vulnerability within its hWBTC contract, a fork of Compound V2. The core mechanism involved the attacker utilizing a flash loan to acquire a substantial amount of Wrapped Bitcoin (WBTC). This WBTC was then strategically deposited into an empty hWBTC market, establishing the attacker as the sole hWBTC holder.

By subsequently “donating” a portion of the WBTC to the contract and exploiting a rounding error in the redeemUnderlying function, the attacker drastically manipulated the hWBTC exchange rate. This inflated rate allowed the attacker to borrow a disproportionately large amount of Ether with minimal hWBTC, effectively draining the protocol’s liquidity before repaying the initial flash loan.

The image showcases a detailed view of a sophisticated, blue-hued technological apparatus, featuring numerous interconnected metallic blocks, conduits, and bright blue electrical wires. A prominent central module with a dark, integrated circuit-like component is secured by visible screws, indicating a core processing unit

Parameters

  • Protocol Targeted → Hundred Finance
  • Attack Vector → Flash Loan, Exchange Rate Manipulation, Precision Loss
  • Financial Impact → $7.4 Million
  • Blockchain Affected → Optimism (Ethereum Layer-2)
  • Vulnerability Type → Rounding Error in redeemUnderlying function, Empty Market Exploitation
  • Date of Incident → April 15, 2023

A transparent, luminous blue X-shaped component is prominently displayed, showcasing intricate internal pathways and circuitry. It is situated within a larger, blurred industrial or technological system rendered in shades of blue and gray

Outlook

Immediate mitigation for users involved with similar Compound V2 forks should include verifying protocol liquidity and the presence of robust oracle systems that prevent exchange rate manipulation. This incident highlights the critical need for comprehensive security audits that specifically address precision loss, especially in low-liquidity markets and across all contract functions, not just the primary logic. Furthermore, it reinforces the importance of continuous monitoring for anomalous exchange rate fluctuations and rapid response mechanisms to pause vulnerable markets. The broader implication is a heightened awareness for all DeFi protocols to implement circuit breakers and dynamic risk parameters that adapt to market conditions and prevent flash loan-enabled exploits.

The Hundred Finance exploit serves as a stark reminder that even well-audited codebases, when forked and deployed under specific market conditions, can harbor critical vulnerabilities, demanding continuous vigilance and adaptive security measures across the DeFi landscape.

Signal Acquired from → ImmuneBytes

Micro Crypto News Feeds

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: