Decoding Hopelend’s $835k Exploit

Decoding Hopelend’s $835k Exploit

Decoding Hopelend’s $835k Exploit

Decoding Hopelend’s $835k Exploit

Decoding Hopelend’s $835k Exploit

Read Time: 3 minutes

Summary:

On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.

About Project:

HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.


Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:  0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A

Victim Contract:  0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392


The Root Cause:

The root cause was the loss of precision loss in Htoken’s contract. 

The attacker took the advantage of lack of precision in calculating liquidity index during execution of  _handleFlashLoanRepayment 


Attack Process:

  • First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index 
  • The attacker was able to change the liquidity index of hEthWBTC  from 1e27 to 7,560,000,001e27
  • The attacker increase it’s profit by borrowing assets from different markets.
  • This resulted in hacker profiting by paying less collateral of WBTC due to precision loss 

Flow of Funds:

Here is the fund flow during and after the exploit. You can see more details here.

Attacker’s Wallets:

It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido 

Here is a snippet of the wallet address


After the Exploit

  • The Project acknowledged the hack via their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC  – The malicious transaction took place 

Oct-18-2023 11:48:59 AM +UTCThe original transaction was frontrunned.


How could they have prevented the Exploit?

  • It is recommend to check all the cases for precision loss
  • If possible, protocols are requested to focus on comprehensive invariant testing 

The Imperative Need for Web3 Security

As a Web3 security firm QuillAudits, we embrace the essence of decentralization by offering transparency, and we want that spirit to shine through in our services too.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

1,487 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+