Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 134Smart Contract Bug

Hundred Finance Exchange-Rate Manipulation

Hundred Finance on Optimism lost $7M to a donation-attack variant: a rounding bug in the Compound v2 fork's exchange-rate code let tiny hWBTC drain the pool.

Date
Victim
Hundred Finance
Chain(s)
Optimism
Status
Funds Stolen

On April 15, 2023, the multi-chain lending protocol Hundred Finance was exploited on its Optimism deployment for approximately $7 million. The vulnerability was a precision/rounding bug in the Compound v2 exchange-rate calculation — the same forked code that would later cost Sonne Finance $20M in 2024.

What happened

Hundred Finance was a Compound v2 fork. Its lending markets calculated the exchange rate between a deposit token (e.g. WBTC) and its corresponding cToken (hWBTC) using a formula that depended on:

  • totalCash — how much underlying the contract holds
  • totalBorrows and totalReserves — outstanding loans and reserve allocations
  • totalSupply — total cTokens minted

The attack used a flash loan and an empty-market donation pattern:

  1. The attacker found a Hundred market with negligible supply of cTokens.
  2. Using a flash loan, they donated WBTC directly to the contract (raw transfer, no mint), inflating totalCash without changing totalSupply.
  3. The exchange rate (totalCash / totalSupply) skyrocketed — a single cToken now represented a vast amount of underlying.
  4. They redeemed their tiny pre-existing cToken position, claiming almost the entire WBTC pool as the redemption.
  5. The protocol's redemption function also had a rounding error that prevented the math from blocking the absurd ratio.
  6. Repeating across vulnerable markets drained roughly $7M before Hundred paused.

Aftermath

  • Hundred paused Optimism markets and announced a post-mortem.
  • Funds were laundered through cross-chain bridges and mixers. In April 2024 the attacker began moving the stolen assets again after a year of dormancy.
  • Hundred had previously been exploited in March 2022 (a reentrancy attack on the Gnosis Chain deployment, jointly with Agave, for $11M) and never fully recovered between incidents.

Why it matters

Hundred Finance was an early warning of what later played out at scale: Compound v2 forks deployed on alternative L1s and L2s tend to inherit the security model of vanilla Compound v2, including its known-but-easy-to-miss footguns. The donation/precision pattern has since accounted for incidents at Sonne, Midas, Onyx and others — every time, the same shape, every time, the same root cause.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-hundred-finance-hack-april-2023
  2. [02]cryptotimes.iohttps://www.cryptotimes.io/2023/04/17/hundred-finance-hacked-for-over-7-million/
  3. [03]blocksec.comhttps://blocksec.com/blog/6-hundred-finance-incident-catalyzing-the-wave-of-precision-related-exploits-in-vulnerable-forked-protocols

Related filings