Hundred Finance hacker moves stolen assets a year after $7M exploit


The hacker who stole $7.4 million from the decentralized finance (DeFi) protocol Hundred Finance has started moving the crypto assets after a year of inactivity. 

On May 1, the hacker moved Ether (ETH) and Tether (USDT) worth about $800,000 from Curve’s decentralized exchange (DEX) after providing liquidity on the platform more than one year ago.

Token transactions made by the Hundred Finance hacker. Source: Etherscan

After withdrawing the funds, the hacker converted USDT and other cryptocurrencies into ETH. This increased the exploiter’s ETH by more than $1 million.

The hacker currently holds a total of $4.3 million in assets in the wallet, which includes various crypto assets like Dai, Wrapped Ether, Frax and Wrapped Bitcoin.

On April 15, 2023, the DeFi protocol reported that it had suffered a security breach on the layer-2 network Optimism.

According to the blockchain security firm CertiK, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS. This allowed them to withdraw more tokens than were deposited.

This is commonly known in the DeFi world as a flash loan attack. This type of attack vector usually involves borrowing large amounts of funds with some form of uncollateralized loan from a lending platform.

The attacker then uses the assets to manipulate the price of crypto on DeFi platforms. In the Hundred Finance hack, large loans were taken out under the falsified exchange rate.

In 2022, Hundred Finance also suffered an exploit on the Gnosis Chain. The protocol’s liquidity was drained through a reentrancy attack, resulting in a $6 million loss.

Related: Pike Finance clarifies ‘USDC vulnerability’ statement on $1.6M exploit

While flash loan attacks have wreaked havoc within the space in the past few years, April 2024 showed a significant decrease in losses from this type of hack.

According to a report from CertiK, flash loan attacks only accounted for $129,000 lost in April. Its largest single incident within the month only caused $55,000 in damages. CertiK said in the report that this was the lowest amount lost to flash loan attacks since February 2022.

Meanwhile, losses to crypto hacks in general also decreased in April. Security company PeckShield reported that only $60 million was lost to hacks in the month. This represents a sharp decline compared to February and March, which recorded $360 million and $187 million in losses.

Magazine: Woman accused of $6B scam, China loophole for Hong Kong Bitcoin ETFs: Asia Express