Multi-chain lending protocol Hundred Finance turn into exploited over the weekend, shedding better than $7 million in a flash mortgage exploit.

The protocol’s personnel disclosed the exploit on Saturday, telling customers they had reached out to the hacker and were in talks with so a lot of security teams so as to recover the funds. The protocol turn into exploited on Ethereum Layer 2 network Optimism.

It appears to be like that Hundred purchased hacked on #Optimism. We’re going to have the selection to update when there’s extra knowledge to it.

— Hundred Finance (@HundredFinance) April 15, 2023

Estimated most up-to-date loss is ~7m USD.

But again we hope the hacker will reach out assist to us and we would be ready to acquire a joint technique to solve this topic. 🙏

Thank you everybody for your enhance and assist all by these advanced times. ❤️ https://t.co/wLGAl4AAGA

— Hundred Finance (@HundredFinance) April 15, 2023

Prognosis from blockchain security firm CertiK estimated the whole losses from the exploit are nearer to $7.4 million. CertiK discovered that the exploiter orchestrated the assault by manipulating the exchange rate between ERC-20 tokens and hTOKENS.

hTOKENS are Hundred Finance’s passion-bearing tokens that describe individual deposits on the platform. These tokens conform to the ERC-20 token customary, nonetheless are arena to a fluctuating exchange rate per the stage of borrowing by diverse customers.

Per CertiK, the hacker manipulated the exchange rate by Money cost – something that represents the amount of Wrapped Bitcoin (wBTC) that the hBTC contract holds. The attacker donated increased amounts of wBTC to the hTOKEN contract in expose to transfer the exchange rate greater.

The attacker then borrowed a enormous amount underneath this inflated exchange rate and bought assist the amount donated by redeeming 1 hTOKEN.

Lately's Hundred Finance assault has a sexy strange assault loop.

Mint, redeem all of it – 2, transfer it assist to the ctoken contract(!), borrow loads(!), take the arrangement funds, redeem the mountainous pile of the long-established currency(!), liquidate the infant assault contract, and redeem 1. pic.twitter.com/TNseoCeon3

— Daniel Von Fange (@danielvf) April 15, 2023

One other blockchain security firm, Numen Cyber Abilities, broke down the hacker’s loot, discovering that the exploiter stole 1,030 ETH, 1.13 million USDT, 1.2 million USDC and 824,788 DAI along with a preference of diverse synthetic and wrapped tokens.

Hundred Finance’s native token HND fell Forty five% after news of the exploit and turn into trading at around $0.02 at the time of writing.

The protocol suffered but any other exploit closing yr, which took region on the Gnosis chain in March 2022. On the time, Hundred Finance lost $6 million in a re-entrancy assault that furthermore focused the Agave protocol.