Read Time: 3 minutes

Summary:

On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.

About Project:

HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.

---

Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:  0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A, 

Victim Contract:  0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

---

The Root Cause: 

The root cause was the loss of precision loss in Htoken’s contract. 

The attacker took the advantage of lack of precision in calculating liquidity index during execution of  _handleFlashLoanRepayment 

---

Attack Process:

• First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index 

• The attacker was able to change the liquidity index of hEthWBTC  from 1e27 to 7,560,000,001e27

• The attacker increase it’s profit by borrowing assets from different markets.
• This resulted in hacker profiting by paying less collateral of WBTC due to precision loss 

Flow of Funds: 

Here is the fund flow during and after the exploit. You can see more details here.

Attacker’s Wallets: 

It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido 

Here is a snippet of the wallet address

---

After the Exploit

• The Project acknowledged the hack via their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC  – The malicious transaction took place 

Oct-18-2023 11:48:59 AM +UTC – The original transaction was frontrunned.

---

How could they have prevented the Exploit?

• It is recommend to check all the cases for precision loss
• If possible, protocols are requested to focus on comprehensive invariant testing 

The Imperative Need for Web3 Security

As a Web3 security firm QuillAudits, we embrace the essence of decentralization by offering transparency, and we want that spirit to shine through in our services too.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

• Affiliate program ( Refer and secure web3 )
• QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
• Join Ambassador program