Decoding Hopelend’s $835k Exploit

Abstract:

On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The assault was made potential by a Precision Loss vulnerability. Round $835k was stolen from the exploit.

About Challenge:

HopeLend is a decentralized, non-custodial lending protocol. To be taught extra about them, take a look at their documentation.

Vulnerability Evaluation & Influence:

On-Chain Particulars:

Attacker Deal with:  0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A, 

Sufferer Contract:  0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Assault Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

The Root Trigger: 

The foundation trigger was the lack of precision loss in Htoken’s contract. 

The attacker took the benefit of lack of precision in calculating liquidity index throughout execution of  _handleFlashLoanRepayment 

Assault Course of:

• First, the attacker took a FlashLoan of 2k WBTC. adopted by including that into the Pool contract’s reserve’s liquidity index 

• The attacker was in a position to change the liquidity index of hEthWBTC  from 1e27 to 7,560,000,001e27

• The attacker enhance it’s revenue by borrowing property from totally different markets.
• This resulted in hacker profiting by paying much less collateral of WBTC resulting from precision loss 

Circulation of Funds: 

Right here is the fund move throughout and after the exploit. You possibly can see extra particulars here.

Attacker’s Wallets: 

It’s value noting {that a} Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was in a position to frontrun the unique transaction by paying a bribe of 263ETH to one of many validatiors managed by Lido 

Here’s a snippet of the pockets deal with

After the Exploit

• The Challenge acknowledged the hack through their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC  – The malicious transaction came about 

Oct-18-2023 11:48:59 AM +UTC – The unique transaction was frontrunned.

How might they’ve prevented the Exploit?

• It’s advocate to test all of the instances for precision loss
• If potential, protocols are requested to give attention to complete invariant testing 

The Crucial Want for Web3 Safety

As a Web3 safety agency QuillAudits, we embrace the essence of decentralization by providing transparency, and we would like that spirit to shine via in our providers too.

Need extra Such Safety Blogs & Stories?

Join with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Companion with QuillAudits :

181 Views