Summary:
On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.
About Project:
HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.
Vulnerability Analysis & Impact:
On-Chain Details:
Attacker Address: 0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A,
Victim Contract: 0xc74b72bbf904bac9fac880303922fc76a69f0bb4
Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392
The Root Cause:
The root cause was the loss of precision loss in Htoken’s contract.
The attacker took the advantage of lack of precision in calculating liquidity index during execution of _handleFlashLoanRepayment
Attack Process:
- First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index
- The attacker was able to change the liquidity index of hEthWBTC from 1e27 to 7,560,000,001e27
- The attacker increase it’s profit by borrowing assets from different markets.
- This resulted in hacker profiting by paying less collateral of WBTC due to precision loss
Flow of Funds:
Here is the fund flow during and after the exploit. You can see more details here.
Attacker’s Wallets:
It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido
Here is a snippet of the wallet address
After the Exploit
- The Project acknowledged the hack via their Twitter.
Incident Timelines
Oct-18-2023 11:48:59 AM +UTC – The malicious transaction took place
Oct-18-2023 11:48:59 AM +UTC – The original transaction was frontrunned.
How could they have prevented the Exploit?
- It is recommend to check all the cases for precision loss
- If possible, protocols are requested to focus on comprehensive invariant testing
The Imperative Need for Web3 Security
As a Web3 security firm QuillAudits, we embrace the essence of decentralization by offering transparency, and we want that spirit to shine through in our services too.
Want more Such Security Blogs & Reports?
Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram
Partner with QuillAudits :
- Affiliate program ( Refer and secure web3 )
- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
- Join Ambassador program