Hope Money Hack Analysis

Hope Money Hack Analysis

Overview:

On October 18, 2023, The Hope Money project on Ethereum experienced a security breach attributed to a precision loss issue that resulted in a total loss of 528 ETH.

Smart Contract Hack Overview:

• Attacker Address: 0xa8bbb3
• Vulnerable Contract: 0xC74b72
• Attack Transaction: 0x1a7ee0a

Decoding the Smart Contract Vulnerability:

• The root cause behind this attack can be attributed to a precision issue when handling the liquidity index within the _handleFlashLoanRepayment() function. This manipulation of the liquidity index served as the critical component in the HopeLend exploit.
• The attacker initiated the attack by obtaining a flash loan, and notably, no collateral was required. They borrowed a significant amount of 2,000 Wrapped Bitcoin (WBTC).
• Then, The attacker added the borrowed flash loan amount to the reserve liquidity index, resulting in an extraordinarily high value for the ‘liquidityIndex’ parameter.
• Subsequently, when this inflated ‘liquidityIndex’ value was passed within the hEthWBTC contract, it caused a drastic change in the index value, transforming it from the typical 1*10²⁷ to an unusually high 7,560,000,00*10²⁷.
• Due to this precision loss, the system became incapable of accurately tracking and calculating values when dealing with the liquidityIndex set at 7,560,000,00*10²⁷.
• Interestingly, the attacker did not profit from this exploit; instead, a frontrunner took advantage of the situation and earned 264.08 ETH.

Mitigation and Best Practices:

• Multiplication should always be performed before division to avoid loss of precision.
• The calculated result for division and multiplication can be stored in an integer with more bits, but the operands must also be integers of the same size.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord