Decoding Hopelend’s $835k Exploit

Summary

On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The attack was made possible by a Precision Loss vulnerability. Around $835k was stolen from the exploit.

About Project

HopeLend is a decentralized, non-custodial lending protocol. To learn more about them, check out their documentation.

Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A,

Victim Contract: 0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Attack Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

The Root Cause

The root cause was the loss of precision loss in Htoken’s contract.

The attacker took the advantage of lack of precision in calculating liquidity index during execution of _handleFlashLoanRepayment

Attack Process

• First, the attacker took a FlashLoan of 2k WBTC. followed by adding that into the Pool contract’s reserve’s liquidity index

• The attacker was able to change the liquidity index of hEthWBTC from 1e27 to 7,560,000,001e27

• The attacker increase it’s profit by borrowing assets from different markets.

• This resulted in hacker profiting by paying less collateral of WBTC due to precision loss

Flow of Funds

Here is the fund flow during and after the exploit. You can see more details here.

Attacker’s Wallets

It is worth noting that a Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was able to frontrun the original transaction by paying a bribe of 263ETH to one of the validatiors managed by Lido

Here is a snippet of the wallet address

After the Exploit

The Project acknowledged the hack via their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC – The malicious transaction took place

Oct-18-2023 11:48:59 AM +UTC – The original transaction was frontrunned.

How could they have prevented the Exploit?

• It is recommend to check all the cases for precision loss

• If possible, protocols are requested to focus on comprehensive invariant testing

Why QuillAudits For Web3 Security?

• QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of hundreds of protocols in funds.

• Our team of highly skilled auditors have secured over 1M lines of code and $30B in amount.

• Over the course of multiple years, QuillAudits has been proven to be one of the top choices for protocols to get their codebases audited.

Partner with QuillAudits

• OG Program (Opportunities for Listing Managers, KOLs, Top Advisors and Investors with access to early stage Web3 projects)

• QuillAudits Partnership Programme (Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products)

• WAGSI Program(Claim audit credits to avail exclusive discounts on our auditing package, and additional credits for our automated web3 security infra- QuillShield)