SolidityScan
HACK ANALYSIS 2 min read

Hundred Finance Hack Analysis — Improper Business Logic

Hundred Finance Hack Analysis — Improper Business Logic

Overview:

  • On April 15th, 2023, an attack allowed an attacker to manipulate the exchange rate business logic and withdraw more tokens than were initially deposited, resulting in a loss to the protocol of about $7.4M.

Smart Contract Hack Overview:

Attacker’s transaction

Decoding the Smart Contact Vulnerability:

  • The attacker utilized Aave’s flashloan function to borrow 500 WBTC and discovered that there was no ongoing lending activity other than their own earlier activities, causing HWBTC’s total supply to fall to zero.
  • The attacker constructed a proxy contract with 4 WBTC and redeemed the WBTC to change the exchange rate. In their created contract, the attacker received 500 WBTC and 2 wei HWBTC on redemption.
  • The attacker sent 500 WBTC to the pool, which raised the price of HWBTC and allowed them to borrow ETH for a lower sum.
  • The remaining 2 hWBTCs were used to borrow 1021.91 ETH by the attacker. Finally, the attacker’s contract withdrew 500.3 WBTC and used 1 hWBTC to pay off the earlier debt.

Mitigation and Best Practices:

  • Always check for business logic vulnerabilities thoroughly & write proper test cases so that they can’t be exploited using flash loans.
  • Always make sure that any state changes occur internally first, such as updating balances or calling internal functions before calling external code.
  • Check for instances of fraudulent deposits on a regular basis and prevent arbitrage.
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Yearn finance Hack Analysis — Misconfigured yUSDT Mint
Ocean Life token hack analysis — Flash Loan Attack