Decoding Hopelend’s $835k Exploit

Hopelend Exploit

Table of Contents

Read Time: 3 minutes


On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.

About Project:

HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.

Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:  0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A

Victim Contract:  0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

The Root Cause: 

The root cause was the loss of precision loss in Htoken’s contract. 

The attacker took the advantage of lack of precision in calculating liquidity index during execution of  _handleFlashLoanRepayment 

Attack Process:

  • First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index 
  • The attacker was able to change the liquidity index of hEthWBTC  from 1e27 to 7,560,000,001e27
  • The attacker increase it’s profit by borrowing assets from different markets.
  • This resulted in hacker profiting by paying less collateral of WBTC due to precision loss 

Flow of Funds: 

Here is the fund flow during and after the exploit. You can see more details here.

Attacker’s Wallets: 

It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido 

Here is a snippet of the wallet address

After the Exploit

  • The Project acknowledged the hack via their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC  – The malicious transaction took place 

Oct-18-2023 11:48:59 AM +UTCThe original transaction was frontrunned.

How could they have prevented the Exploit?

  • It is recommend to check all the cases for precision loss
  • If possible, protocols are requested to focus on comprehensive invariant testing 

The Imperative Need for Web3 Security

As a Web3 security firm QuillAudits, we embrace the essence of decentralization by offering transparency, and we want that spirit to shine through in our services too.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+