Cybersecurity firm PeckShield has reported that the multi-chain lending protocol HundredFinance has been exploited, resulting in a loss of approximately $7 million. The attacker reportedly exploited the platform by donating 200 WBTC to inflate the hWBTC’s exchange rate, allowing a minuscule amount of hWBTC to drain the current lending pools.
Notably, PeckShield presented the case on Twitter, providing a brief sketch of the issue:
The loss of today's @HundredFinance hack is ~$7m.
— PeckShield Inc. (@peckshield) April 15, 2023
The root cause appears the attacker donates 200 WBTC to inflate hWBTC's exchange rate so that even a tiny amount (2 wei) of hWBTC can basically drain current lending pools.
Here comes the hack tx: https://t.co/ryPYk74dgE https://t.co/YbfnTvf1Uw pic.twitter.com/QbsbZBfemJ
In response to the hack, HundredFinance posted updates on their Twitter account, stating that they are currently in talks with various security teams and the hacker in an attempt to resolve the issue.
According to PeckShield, the hacker transferred roughly 1,034 ETH (worth $2.18 million at the time), 1.27 million USDC, 1.1 million USDT, 842.8 thousand DAI, and 0.058 WBTC to Ethereum using Multichain.
Additionally, the attacker swapped 1.1 million USDT for 500 thousand DAI and 613 thousand FRAX, exchanged 480 thousand USDC for 39 PAXG, 142.6 WETH, and 305.5 thousand WOO, and added 786 thousand USDC into Curve.
Significantly, HundredFinance has urged its users not to speculate on the attack’s execution and assured them that their team is preparing a post-mortem analysis. The platform has said that its primary focus is to establish communication with the hacker and reach an agreement that will benefit its users the most.
Meanwhile, they are also gathering all available information for possible further action. HundredFinance has requested users affected by the hack, particularly those from the United States and New York, to contact their team members on Discord for assistance.
