Summary
On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.
About Project
HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.
Vulnerability Analysis & Impact
On-Chain Details
Attacker Address: 0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A,
Victim Contract: 0xc74b72bbf904bac9fac880303922fc76a69f0bb4
Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392
The Root Cause
The root cause was the loss of precision loss in Htoken’s contract.
The attacker took the advantage of lack of precision in calculating liquidity index during execution of _handleFlashLoanRepayment
Attack Process
- First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index
- The attacker was able to change the liquidity index of hEthWBTC from 1e27 to 7,560,000,001e27
- The attacker increase it’s profit by borrowing assets from different markets.
- This resulted in hacker profiting by paying less collateral of WBTC due to precision loss
Flow of Funds
Here is the fund flow during and after the exploit. You can see more details here.
Attacker’s Wallets
It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido
Here is a snippet of the wallet address
After the Exploit
The Project acknowledged the hack via their Twitter.
Incident Timelines
Oct-18-2023 11:48:59 AM +UTC – The malicious transaction took place
Oct-18-2023 11:48:59 AM +UTC – The original transaction was frontrunned.
How could they have prevented the Exploit?
- It is recommend to check all the cases for precision loss
- If possible, protocols are requested to focus on comprehensive invariant testing
Why QuillAudits For Web3 Security?
- QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of hundreds of protocols in funds.
- Our team of highly skilled auditors have secured over 1M lines of code and $30B in amount.
- Over the course of multiple years, QuillAudits has been proven to be one of the top choices for protocols to get their codebases audited.
Partner with QuillAudits
- OG Program (Opportunities for Listing Managers, KOLs, Top Advisors and Investors with access to early stage Web3 projects)
- QuillAudits Partnership Programme (Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products)
- WAGSI Program(Claim audit credits to avail exclusive discounts on our auditing package, and additional credits for our automated web3 security infra- QuillShield)
