Security

Hundred Finance Suffers $7.4 Million Flash Loan and Precision Loss Exploit

A rounding error in an hToken contract, combined with low liquidity, enabled an attacker to manipulate exchange rates and drain millions via flash loans.
September 23, 20253 min

Luminous blue fluid cascades between intricate, futuristic interlocking components, one crystalline and segmented, the other a polished, segmented metallic structure. This visual powerfully illustrates the complex interplay of elements within the cryptocurrency and blockchain space
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

On April 15, 2023, the Hundred Finance lending protocol on the Optimism blockchain was subjected to a sophisticated flash loan attack, resulting in a loss of approximately $7.4 million. This incident leveraged a critical vulnerability stemming from exchange rate manipulation within the hWBTC contract, exacerbated by a rounding error in the redeemUnderlying function and the presence of empty markets. The exploit allowed the attacker to disproportionately inflate the value of hTokens, enabling massive, unauthorized borrowing against minimal collateral. The total financial impact of this event stands at $7.4 million, underscoring the systemic risks associated with precision loss in DeFi protocols.

A granular white substance connects to a granular blue substance via multiple parallel metallic conduits, terminating in embedded rectangular components. This visual metaphorically represents a cross-chain bridge facilitating blockchain interoperability between distinct decentralized network segments

Context

Prior to this incident, the DeFi ecosystem, particularly lending protocols forked from established codebases like Compound V2, faced inherent risks from complex smart contract interactions and potential for precision-related vulnerabilities. While Compound V2 itself had undergone audits, the re-deployment of its codebase in various forks often introduced new attack surfaces, especially in markets with low liquidity. The prevailing security posture often underestimated the impact of rounding errors when combined with flash loan capabilities and empty market conditions, leaving protocols susceptible to exchange rate manipulation.

A detailed close-up reveals a complex system featuring textured blue pipes interwoven with shiny silver mechanical components and black data cables. The metallic structures exhibit intricate lattice patterns and various interconnected blocks, suggesting a sophisticated internal mechanism

Analysis

The attack on Hundred Finance exploited a multi-faceted vulnerability within its hWBTC contract, a fork of Compound V2. The core mechanism involved the attacker utilizing a flash loan to acquire a substantial amount of Wrapped Bitcoin (WBTC). This WBTC was then strategically deposited into an empty hWBTC market, establishing the attacker as the sole hWBTC holder.

By subsequently “donating” a portion of the WBTC to the contract and exploiting a rounding error in the redeemUnderlying function, the attacker drastically manipulated the hWBTC exchange rate. This inflated rate allowed the attacker to borrow a disproportionately large amount of Ether with minimal hWBTC, effectively draining the protocol’s liquidity before repaying the initial flash loan.

A striking metallic X-shaped structure, characterized by its dark internal components and polished silver edges, is prominently displayed against a neutral grey backdrop. Dynamic blue and white cloud-like formations emanate and swirl around the structure, creating a sense of motion and energetic flow

Parameters

  • Protocol Targeted → Hundred Finance
  • Attack Vector → Flash Loan, Exchange Rate Manipulation, Precision Loss
  • Financial Impact → $7.4 Million
  • Blockchain Affected → Optimism (Ethereum Layer-2)
  • Vulnerability Type → Rounding Error in redeemUnderlying function, Empty Market Exploitation
  • Date of Incident → April 15, 2023

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Outlook

Immediate mitigation for users involved with similar Compound V2 forks should include verifying protocol liquidity and the presence of robust oracle systems that prevent exchange rate manipulation. This incident highlights the critical need for comprehensive security audits that specifically address precision loss, especially in low-liquidity markets and across all contract functions, not just the primary logic. Furthermore, it reinforces the importance of continuous monitoring for anomalous exchange rate fluctuations and rapid response mechanisms to pause vulnerable markets. The broader implication is a heightened awareness for all DeFi protocols to implement circuit breakers and dynamic risk parameters that adapt to market conditions and prevent flash loan-enabled exploits.

The Hundred Finance exploit serves as a stark reminder that even well-audited codebases, when forked and deployed under specific market conditions, can harbor critical vulnerabilities, demanding continuous vigilance and adaptive security measures across the DeFi landscape.

Signal Acquired from → ImmuneBytes

Micro Crypto News Feeds

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

rounding error

Definition ∞ A rounding error is a discrepancy that arises when representing a number with a finite number of digits during calculations.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: