🚨Protect your contract or pay the price: Hundred Finance lost ~$7 Million to a Contract Vulnerability

HashingBits | Week- 16

QuillAudits

Apr 24, 2023

In brief⚡

Hundred Finance ~lost $7Million due to a contract vulnerability.
Close call for KyberSwap as they found a contract vulnerability
~$110K swept away in Arbtomb Rug pull incident
Sandwich Attack Cost MEV Bots ~$1.4Million
Tales of Elleria lost ~$280K to a contract vulnerability.

Hacks and Scams⚠️

Hundred Finance

Amount of Loss: ~ $7M

Analysis

Hundred Finance lost ~$7 million in the recent exploit.
This was not Hundred Finance's first exploit: in March 2022, a hacker targeted both Hundred Finance and Agave Finance with a flash loan attack, stealing $12 million from the two projects.
The root cause is that the attacker donates 200 WBTC to inflate the exchange rate of hWBTC so that even a small amount (2 wei) of hWBTC can effectively drain current lending pools.
An attacker manipulated the exchange rate between tokens and their interest-bearing counterparts on the Hundred Finance system on the Optimism layer-2 network, stealing approximately $7.4 million from the project.

KyberSwap

Amount of Loss: Nil

Analysis

KyberSwap, a DEX aggregator and liquidity platform, announced via Twitter that they had discovered a potential loophole in KyberSwap Elastic and hoped that liquidity providers could extract liquidity as soon as possible.
So far, no user assets have been lost.
KyberSwap strongly advises all Liquidity Providers to withdraw their funds from Elastic as quickly as possible as a precaution.

Arbtomb

Amount of Loss: ~$110K

Analysis

Rug Pull is suspected in the Arbitrum ecological Arbtomb project.
The scammer transferred 54 ETH (approximately $110,000) to Ethereum, then 52 ETH to Tornado Cash, and 2.4 ETH to Binance.

MEV Bots

Amount of Loss: ~$1.4M

Analysis

According to Sealaunch, an NFT data and research platform, the MEV Bot named jaredfromsubway.eth recently carried out "sandwich attacks" on buyers and sellers of Meme coins such as WOJAK and PEPE, earning more than $1.4 million in profits.
Furthermore, Sealaunch stated that MEV Bots spent 7% of Ethereum's petrol fees between April 18 and 19.
More about MEV Bot & Sandwich Attack https://blog.quillhash.com/2022/10/28/a-guide-to-mev-critical-issues-and-best-security-practices/

Tales of Elleria

Amount of Loss: ~ $280K

Analysis

Wayne, the co-founder of the NFT game ‘Tales of Elleria’, tweeted early this morning: "The Tales of Elleria bridge contract was exploited, causing its LP to be depleted and losing more than $280,000."
The attacker appears to have created his signature and extracted many ELM tokens, thereby draining the LP.
According to the findings, the hacker used the ecrecover function to generate authorised signatures without the private key.

Explore the Depths of Knowledge: Research Papers & Blogs🔖

How to Prepare for a Web3 Security Breach: Incident Response Planning

This world is a game of chances and possibilities. No matter how secure you believe you are, there is always one possibility that you may or may not be aware of, which can be devastating. This does not imply that you abandon security. The game's goal is to increase your chances of surviving the attacks.

In this blog, we have discussed the incident response plan that should be established and followed in case of a security breach to mitigate further losses and save yourself.

Decoding Yearn Finance $11 Million Hack

Another day in DeFi and Yearn Finance's wild world, an $11 million blunder occurs. It's difficult to believe, but it's true. Yearn Finance on the Ethereum chain was attacked on April 13, 2023, due to a misconfiguration in the yUSDT vault. The attackers took advantage of this flaw and stole approximately $11.54 million.