A year after pilfering $7.4 million from the decentralized finance (DeFi) protocol Hundred Finance, the perpetrator has begun transferring the stolen cryptocurrency assets.
On May 1, the criminal shifted approximately $800,000 worth of Ether and Tether from Curve’s decentralized exchange, where the funds had been provided as liquidity over a year prior.
Subsequent to these transactions, the hacker exchanged USDT and other cryptocurrencies for ETH, increasing their Ether holdings by over $1 million, as per transaction data from Etherscan.
Presently, the hacker’s Ethereum wallet contains about $4.3 million in various cryptocurrencies, including Dai, Wrapped Ether, Frax, and Wrapped Bitcoin.
The incident on April 15, 2023, marked Hundred Finance’s disclosure of a security breach on the Optimism layer-2 network. Blockchain security company CertiK detailed that the attacker had manipulated the exchange rate between ERC-20 tokens and hTOKENS, enabling them to withdraw more tokens than deposited, a technique often seen in flash loan attacks. These attacks involve borrowing substantial sums through uncollateralized loans from lending platforms to manipulate prices on DeFi platforms, exploiting the altered rates for profit.
In 2022, Hundred Finance faced another significant setback on the Gnosis Chain, where a reentrancy attack drained the protocol’s liquidity, resulting in a loss of $6 million.
Despite the prevalence of flash loan attacks causing significant losses in the past, April 2024 witnessed a marked decrease in such incidents. CertiK’s report highlighted that flash loan attacks accounted for a mere $129,000 in losses that month, with the largest single incident causing $55,000 in damages—this represented the lowest monthly loss to flash loan attacks since February 2022.
Additionally, overall losses from cryptocurrency hacks also declined in April, with security firm PeckShield noting that total losses amounted to only $60 million, a steep reduction from the $360 million and $187 million recorded in February and March, respectively.