Decoding Hopelend’s $835k Exploit
Summary
On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.
About Project
HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.
Vulnerability Analysis & Impact
On-Chain Details
Attacker Address: 0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A,
Victim Contract: 0xc74b72bbf904bac9fac880303922fc76a69f0bb4
Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392
The Root Cause
The root cause was the loss of precision loss in Htoken’s contract.
The attacker took the advantage of lack of precision in calculating liquidity index during execution of _handleFlashLoanRepayment
Attack Process
- First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index
- The attacker was able to change the liquidity index of hEthWBTC from 1e27 to 7,560,000,001e27
- The attacker increase it’s profit by borrowing assets from different markets.
- This resulted in hacker profiting by paying less collateral of WBTC due to precision loss
Flow of Funds
Here is the fund flow during and after the exploit. You can see more details here.
Attacker’s Wallets
It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido
Here is a snippet of the wallet address
After the Exploit
The Project acknowledged the hack via their Twitter.
Incident Timelines
Oct-18–2023 11:48:59 AM +UTC — The malicious transaction took place
Oct-18–2023 11:48:59 AM +UTC — The original transaction was frontrunned.
How could they have prevented the Exploit?
- It is recommend to check all the cases for precision loss
- If possible, protocols are requested to focus on comprehensive invariant testing