Hundred Finance WBTC Optimism Exploit
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Hundred Finance is a multi-chain lending protocol that allows users to borrow and lend assets in a decentralized and economically efficient manner. It was audited by WhiteHatDAO in Feb 2022. The platform integrates with Chainlink oracles to ensure market health and stability. The distribution of HND, its governance token, is ongoing to broaden the ownership of the governance token and the platform's usage. The platform aims to expand to multiple chains in order to deliver its decentralized financial services as widely as possible. However, on April 15th, Hundred Finance suffered a $7.4M exploit on Optimism due to the attacker manipulating the exchange rate by donating a large amount of WBTC to the hWBTC contract. The root cause appears to be the same reentrancy mechanism that hit CREAM Finance in August 2021. Hundred Finance launched a $500k reward for information leading to the attacker's arrest and the return of all funds.
About Hundred Finance
Hundred Finance is a multi-chain lending protocol that allows users to borrow and lend assets in a trustless and secure manner. It uses veHND model and integrates with Chainlink oracles to ensure market health and stability. The platform was first launched on Ethereum's Kovan testnet in late June 2021, and after extensive testing, it was soft-launched on the Ethereum mainnet. The fully-enabled Arbitrum version of the Hundred Finance dApp was then deployed, and the distribution of HND began. A vote-escrow governance token mechanism was implemented in December 2021, facilitating direct community involvement in the emission of HND through stablecoin staking contracts known as gauges. The platform is currently implemented on several chains, including Ethereum, Arbitrum, Fantom, Harmony, Moonriver, Gnosis Chain, Optimism, and Polygon. Hundred Finance aims to expand to multiple chains to deliver its financial services as widely as possible. Users can access the platform through its integration with compatible Web3 wallets, and the core functionality of the platform remains the same across different chains, although assets, interest rates, and transaction costs may vary.
"The goal of Hundred Finance is to expand to multiple chains in order to deliver its decentralized and economically efficient financial services as widely as possible. The Hundred Finance dApp grants users access to these networks through its integration with compatible Web3 wallets. Users are able to select the network they wish to interact with from the platform’s main page, an action that will automatically trigger the selection of the correct network by their browser-integrated Web3 wallet. While the platform maintains the same core functionality independent of the chain, assets, interest rates and other variables, such as transaction costs, differ between them."
Hundred is a Compound fork which uses hTokens to track lending positions. It was audited in Feb 2022 by WhiteHatDAO.
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
"Shortly after 2pm UTC on April 15th, Hundred Finance suffered a $7.4M exploit on Optimism."
|April 15th, 2023 8:12:00 AM MDT||First Exploit Transaction||The first exploit by the contract attacker.|
|April 15th, 2023 8:12:30 AM MDT||Second Exploit Transaction||The second exploit transaction by the contract attacker.|
|April 15th, 2023 8:26:00 AM MDT||Hypernative Alert Triggers Team||"The Hundred Finance team became aware of the attack when, 14 minutes after it had occurred, an alert was received from Hypernative at 2:26 pm UTC."|
|April 15th, 2023 8:37:00 AM MDT||Hundred Finance Twitter Announcement||The Hundred Finance team posts on Twitter to announce that they were hacked. "It looks that Hundred got hacked on #Optimism. We will update when there is more information to it." According to their post-mortem, at this time "[e]fforts had also begun to track funds and the identity of the hacker by reaching out to third-party cybercrime security professionals."|
|April 15th, 2023 10:10:00 AM MDT||Ethereum Message To Attacker||"At 4:10pm UTC, the Hundred Finance Admin account on the Ethereum mainnet was used to send a message to the attacker’s address, in which the offer to discuss a bounty and repayment was made. Additionally, having become aware that the exploit remains possible in all Compound v2 forks that have empty markets, the team reached out to potentially vulnerable projects to ensure that they had taken remedial action."|
|April 15th, 2023 12:33:00 PM MDT||PeckShield Analysis Posted||PeckShield posts an analysis of the exploit on Twitter.|
|April 15th, 2023 10:26:00 PM MDT||Beosin Alert Posted||Beosin posts an alert to Twitter about the incident.|
|April 16th, 2023 10:12:00 AM MDT||Invitation For Exploit Information||Hundred Finance pins a post on Twitter requesting that any other Compound V2 projects can reach out for information on the exploit.|
|April 17th, 2023 10:10:00 AM MDT||Negotiations With Attacker||Hundred Finance announces on Twitter that they haven't got any response in 48 hours since starting negotiations with the attacker.|
|April 18th, 2023 12:35:00 PM MDT||Rekt Article Published||The Hundred Finance incident makes it's way onto the Rekt leaderboard with a new article published.|
|April 22nd, 2023 12:38:26 PM MDT||Hundred Finance Post-Mortem Published||Hundred Finance shares a post-mortem on Medium and then cross-posted onto Twitter.|
|May 15th, 2023 10:21:00 PM MDT||Hundred Finance Shares Update||Hundred Finance reports that "a lot of things" have been "happening in the background with the help of various agencies and security teams", and that "the 500k USD bounty is still on the table.".|
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"[T]he attack vector was the same reentrancy mechanism which hit CREAM Finance in August 2021."
"It looks that Hundred got hacked on #Optimism. We will update when there is more information to it."
PeckShield Technical Analysis
PeckShield shared a brief technical analysis on Twitter.
The loss of today's @HundredFinance hack is ~$7m. The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.
Beosin Alert Technical Analysis
Beosin included a technical analysis on Twitter.
On Apr 15th, @HundredFinance was exploited for over $7M on #Optimism.
Hundred Finance was also a victim of a reentrancy attack on Mar 2022.
2/ The root cause is that the attacker can manipulate the exchangeRate by donating a large amount of WBTC to the hWBTC contract.
In the getAccountSnapshot function, the value of exchangeRateMantissa relies on the amount of WBTC in the contract.
3/ The attacker flashloaned 500 $WBTC, then called the redeem function to redeem the previously staked 0.3 WBTC.
Next, the attack contract 1 sent 500.3 WBTC to attack contract 2. Contract 2 used 4 BTC to mint 200 hWBTC. The redeem function was then called to redeem the 4 BTC.
4/ Here the attacker can redeem the 4 WBTC previously staked with less than 200 hWBTC. At this point the attacker had a very small amount of hWBTC left on contract 2.
5/ Attack contract 2 then sent 500.3 WBTC to the hWBTC contract and borrowed 1021.91 ETH via the remaining 2 hWBTCs.
Finally the attack contract 2 repaid the previous debt by using 1 hWBTC, and withdrew 500.3 WBTC from the contract.
Hundred Finance Post-Mortem
Hundred Finance shared a post-mortem on Medium with additional details about the exploit.
At 2:12pm UTC on April 15th, 2023, the Optimism deployment of the Hundred Finance lending protocol was exploited by an attacker, who drained the platform of the entirety of assets held within hToken markets on the chain. The method by which the exploit was carried out relied upon an integer rounding vulnerability in the hToken contract logic for redeeming underlying tokens, a vulnerability that presents itself when a market is empty.
In total, the attacker drained 1,030 ETH, 1,265,979 USDC, 1,113,431 USDT, 865,143 SUSD, 842,788 DAI, 457,286 FRAX and 20,854 SNX from the protocol, with a combined value of approximately $6.8 million USD at the time the hack was carried out. These amounts include assets stolen from the current deployment, as well as around $50,000 USD of ETH, USDC and SNX that remained on the previous Optimism deployment of the app, awaiting withdrawal by their owners. Funds stolen in the hack were supplied by 180 individual wallets, the owners of which are now unable to use their hTokens to reacquire the underlying cryptocurrencies that they had supplied.
Following the hack, the attacker sent the majority of stolen assets to the Ethereum mainnet, swapping them to alternatives that are not subject to pausing by their issuers. The SNX and SUSD tokens, however, remain on Optimism, where, a week later, they have so-far not moved further. Similarly, as of posting, there has been no attacker-initiated transactions on the attacker’s mainnet account since the day of the attack.
Mechanism of the Hack
On April 11th, 2023, the hacker’s wallet, 0x155DA45D374A286d383839b1eF27567A15E67528, withdrew approximately 1 ETH from Tornado Cash, portions of which were then sent to Optimism using the Optimism bridge and to Arbitrum using the Multichain bridge.
Three days later, a second withdrawal of 10 ETH was made from Tornado and used to purchase the WBTC that was then sent, along with further ETH, to Optimism to be used as a part of the attack.
Once the WBTC had been received by their Optimism wallet, the attacker deposited the BTC into the two empty hWBTC markets. One of the generated hWBTC tokens was used as a part of the exploit of the newest Hundred Finance deployment, while the second was used as part of the exploit of the former deployment in which user funds remained. This made them the sole holder of the two types of hWBTC token.
On the day of the hack, the attacker deployed two master contracts that, minutes later, would be used to carry out the same exploit on each deployment. These were both initiated within the space of 30 seconds of each other when the hWBTC tokens were sent to their respective master contracts.
The steps of the attack, occurring within one transaction per master contract, were as follows:
The hWBTC received by the master contract is burned for the WBTC, emptying the market.
A large WBTC flashloan is taken out by the master contract using Aave and sent to a drainer contract that it itself creates.
The drainer contract uses a small portion of its WBTC to mint hWBTC, before redeeming all but 0.00000002 (2 wei).
The drainer contract then donates WBTC to the hWBTC market, inflating the collateral value of the 0.00000002 hWBTC it holds. This is because in the getAccountSnapshot function, the value of exchangeRateMantissa relies on the amount of WBTC in the contract and not the amount used to generate hWBTC.
At this stage, thanks to the flashloaned WBTC, the hWBTC has a collateral value that allows it to borrow any of the assets in any market in their entirety, which it then does.
After borrowing all the assets on a market, the redeemUnderlying call is used by the drainer contract to withdraw all but 0.00000001 of the WBTC, but, due to a rounding error, this only burns half of the master contract’s 0.00000002 hWBTC.
This rounding error occurs because when the amount of hWBTC needed to redeem the WBTC is calculated, the contract uses a withdrawal formula that rounds down. In the first instance that occurred during the hack, the 0.00000001999999999920048 hWBTC required to redeem 500.30063815 WBTC was rounded down to 0.00000001 hWBTC and successfully used to redeem.
This meant that, at this point the drainer contract is left with all the WBTC except for the 0.00000001 WBTC that remained in the hWBTC market, the entire balance of the drained market and 0.00000001 hWBTC.
The drainer contract then sends the WTBC and “borrowed” assets back to the master contract, which liquidates the drainer contract and seizes the remaining 1 wei hWBTC.
The master contract can then redeem the hWBTC, emptying the market, thus allowing the process to be repeated, draining each of the markets on which assets are held in turn.
Finally, the flashloan is repaid and the accumulated assets are sent by the master contract back to the hacker’s account on Optimism.
This vulnerability has existed in the Compound v2 code since its launch despite multiple audits, presenting itself when markets are launched with a collateral value in place but no depositors or following markets becoming empty due to user withdrawal post-launch. It can, however, be mitigated by:
Minting Small cToken (or equivalent) Amounts at Market Creation
Ensuring that markets are never empty by minting small cToken (or equivalent) balances at the time of market creation prevents the rounding error being used maliciously. A deposit as small as 1 wei is sufficient. By having an initial deposit, the exploitable condition of an empty market can be avoided, making the attack unfeasible.
Deactivate the RedeemUnderlying Function
Another approach to preventing the attack is the deactivation of the redeemUnderlying function. By disabling this function, the attacker would be unable to exploit the rounding bug during the withdrawal process. However, this option may require alternative methods for users to redeem their underlying tokens, and could impact the overall functionality and user experience of the platform.
Total Amount Lost
The total amount lost has been estimated at $7,400,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Hundred Finance Describes Their Response
In their post-mortem, Hundred Finance describes their becoming aware of the attack and their response.
The Hundred Finance team became aware of the attack when, 14 minutes after it had occurred, an alert was received from Hypernative at 2:26 pm UTC.
In response, the process of pausing markets on all chains was begun so that the nature of the hack could be investigated without further funds being at risk. Users should be aware that this is a paused state that will remain in place for the time being, with only the ability to repay borrows and withdraw supplied assets available on all chains.
Simultaneous with the above, the project Discord and the Hundred Finance Twitter account was used to alert the community of the hack, with the Tweet published at 2:37pm UTC. Efforts had also begun to track funds and the identity of the hacker by reaching out to third-party cybercrime security professionals.
At 4:10pm UTC, the Hundred Finance Admin account on the Ethereum mainnet was used to send a message to the attacker’s address, in which the offer to discuss a bounty and repayment was made. Additionally, having become aware that the exploit remains possible in all Compound v2 forks that have empty markets, the team reached out to potentially vulnerable projects to ensure that they had taken remedial action.
During these and the hours that followed, a data gathering process was initiated that entailed consulting with the teams behind the various applications and protocols with which the attacker had interacted. This has allowed us to acquire clues on the identity of the hacker, evidence that can be further added to as the investigation progresses. The task of identifying affected wallets, amounts lost and coordinating the process of reporting these losses to law enforcement was also started. These were actions that were continued over the following days and will be continued on an ongoing basis.
On April 17th, two days after the hack, a $500k USD open bounty was issued for providing information leading to the arrest of the hacker and the return of all funds. This is a bounty that has already attracted interest, though it remains in place and open to any party.
Having received no direct response from the hacker by the Tuesday following the hack, at 1:31 pm UTC an ultimatum was put out through a second message sent to their mainnet account. This made a single and final public offer of a bounty of 10% of the value of the assets held, as well as a commitment not to pursue them further, in exchange for the return of the remaining 90% within 24 hours.
When, the following day, this offer went unaccepted, law enforcement was informed and criminal proceedings formally begun. This engagement with law enforcement is an ongoing process and we encourage our users to reach out and identify themselves to the extent possible in order to broaden our multi-jurisdiction response. This can be done by joining the project Discord and contacting a member of the team.
Hundred Finance Announces Their Hack
The Hundred Finance team announced on Twitter when they realized they were hacked.
It looks that Hundred got hacked on #Optimism. We will update when there is more information to it.
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Invitation For Other Compound Projects
The Hundred Finance team has offered on their Twitter that any other Compound V2 projects can reach out to them for more information on the exploit.
If you are a Compound V2 fork and we or our frens are not in contact with you already, please reach out so we share the information on the hack since it is a general flaw in the code and not specific to Hundred deployment.
Attempted Negotiation With The Attacker
"48h passed since we sent an on-chain message to the hacker and tried to start negotiations with him.
Today we are launching a $500k reward in the hope that this provides additional incentive for info that leads to the Hundred attacker’s arrest and the return of all funds."
Hundred Finance shared a post-mortem on Medium and Twitter explaining the mechanism of the attack and their plans forward.
While there is still hope that the attacker will return the funds of their own accord, we are now doing everything in our power to retrieve by going down law enforcement channels and contracting forensic analysis. Due to the nature of law enforcement investigations and the potential need to avoid alerting the attackers to their progress in order to optimize the chance of their success, moving forward some information may be privileged. The Hundred Finance team will, however, remain available to answer user questions wherever possible and are united with those affected in the desire for a rapid resolution. Once assets are recovered, distribution to those who have suffered a loss will be carried out as rapidly and as equitably as is possible.
For further information or to coordinate a report to law enforcement, please visit the project Discord
If you have information that you believe may lead to the return of funds and capture of the hacker, in the process qualifying for the $500k USDC reward, please make contact at firstname.lastname@example.org
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Hundred Finance appears to still be in pursuit of a recovery of the funds. They remain offering a $500k USD bounty.
Individual Prevention Policies
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
- Hundred Finance Homepage (May 3, 2023)
- Hundred Finance Documentation (May 3, 2023)
- Multi-Chain Implementation - Hundred Finance Documentation (May 3, 2023)
- Rekt - Hundred Finance - REKT 2 (May 3, 2023)
- Optimistic L2 Exploit Transaction 1 - Optimism (May 3, 2023)
- Optimistic L2 Exploit Transaction 2 - Optimism (May 3, 2023)
- 15/04/23 Hundred Finance Hack Post-Mortem - Medium (May 16, 2023)
- HundredFinance - "It looks that Hundred got hacked on #Optimism. We will update when there is more information to it." - Twitter (May 3, 2023)
- peckshield - "The loss of today's @HundredFinance hack is ~$7m. The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools." - Twitter (May 3, 2023)
- BeosinAlert - "On Apr 15th, @HundredFinance was exploited for over $7M on #Optimism." - Twitter (May 3, 2023)
- Hundred Finance - "If you are a Compound V2 fork and we or our frens are not in contact with you already, please reach out so we share the information on the hack since it is a general flaw in the code and not specific to Hundred deployment." - Twitter (May 16, 2023)
- HundredFinance - "48h passed since we sent an on-chain message to the hacker and tried to start negotiations with him." - Twitter (May 3, 2023)
- RektHQ - "@HundredFinance finally gets its very own article. On April 15th, Hundred suffered a $7.4M exploit on Optimism." - Twitter (May 16, 2023)
- Hundred Finance - "Post mortem:" - Twitter (May 16, 2023)
- Hundred Finance - "A lot of things happening in the background with the help of various agencies and security teams. The 500k USD bounty is still on the table." - Twitter (May 16, 2023)