Open in app

Sign in

Write

Sign in

Decoding Hopelend’s $835k Exploit

QuillAudits - Web3 Security 🛡️
3 min readJun 14, 2024

--

Summary

On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.

About Project

HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.

Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A,

Victim Contract: 0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

The Root Cause

The root cause was the loss of precision loss in Htoken’s contract.

The attacker took the advantage of lack of precision in calculating liquidity index during execution of _handleFlashLoanRepayment

Attack Process

  • First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index
  • The attacker was able to change the liquidity index of hEthWBTC from 1e27 to 7,560,000,001e27
  • The attacker increase it’s profit by borrowing assets from different markets.
  • This resulted in hacker profiting by paying less collateral of WBTC due to precision loss

Flow of Funds

Here is the fund flow during and after the exploit. You can see more details here.

Attacker’s Wallets

It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido

Here is a snippet of the wallet address

After the Exploit

The Project acknowledged the hack via their Twitter.

Incident Timelines

Oct-18–2023 11:48:59 AM +UTC — The malicious transaction took place

Oct-18–2023 11:48:59 AM +UTC — The original transaction was frontrunned.

How could they have prevented the Exploit?

  • It is recommend to check all the cases for precision loss
  • If possible, protocols are requested to focus on comprehensive invariant testing
PostMortem
Hack Analysis
Web3 Security

--

--

QuillAudits - Web3 Security 🛡️

Written by QuillAudits - Web3 Security 🛡️

951 Followers

Building the QuillAI Network: AI Agents Safeguarding Web3. Leading Smart Contract Audit Firm with $30B+ secured. Join our security squad builders 🛡️

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams