Skip to content

Decoding Hopelend’s $835k Exploit

Learn Time: 3 minutes


On the 18th of October 2023, HopeLend Protocol on the Ethereum chain was attacked. The assault was made potential by a Precision Loss vulnerability. Round $835k was stolen from the exploit.

About Venture:

HopeLend is a decentralized, non-custodial lending protocol. To be taught extra about them, try their documentation.

Vulnerability Evaluation & Affect:

On-Chain Particulars:

Attacker Handle:  0x1F23eb80f0c16758E4A55D48097c343bD20Be56f 0xa8bbb3742f299b183190a9b079f1c0db8924145b, 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A

Sufferer Contract:  0xc74b72bbf904bac9fac880303922fc76a69f0bb4

Assault Transaction: 0x1a7ee0a7efc70ed7429edef069a1dd001fbff378748d91f17ab1876dc6d10392

The Root Trigger: 

The basis trigger was the lack of precision loss in Htoken’s contract. 

The attacker took the benefit of lack of precision in calculating liquidity index throughout execution of  _handleFlashLoanRepayment 

Assault Course of:

  • First, the attacker took a FlashLoan of 2k WBTC. adopted by including that into the Pool contract’s reserve’s liquidity index 
  • The attacker was in a position to change the liquidity index of hEthWBTC  from 1e27 to 7,560,000,001e27
  • The attacker enhance it’s revenue by borrowing property from completely different markets.
  • This resulted in hacker profiting by paying much less collateral of WBTC on account of precision loss 

Movement of Funds: 

Right here is the fund movement throughout and after the exploit. You’ll be able to see extra particulars right here.

Attacker’s Wallets: 

It’s value noting {that a} Generalized frontrunner 0x9a9122Ef3C4B33cAe7902EDFCD5F5a486792Bc3A was in a position to frontrun the unique transaction by paying a bribe of 263ETH to one of many validatiors managed by Lido 

Here’s a snippet of the pockets handle

After the Exploit

  • The Venture acknowledged the hack by way of their Twitter.

Incident Timelines

Oct-18-2023 11:48:59 AM +UTC  – The malicious transaction happened 

Oct-18-2023 11:48:59 AM +UTCThe unique transaction was frontrunned.

How may they’ve prevented the Exploit?

  • It’s suggest to test all of the instances for precision loss
  • If potential, protocols are requested to concentrate on complete invariant testing 

The Crucial Want for Web3 Safety

As a Web3 safety agency QuillAudits, we embrace the essence of decentralization by providing transparency, and we wish that spirit to shine by in our providers too.

Need extra Such Safety Blogs & Studies?

Join with QuillAudits on :

Linkedin | Twitter | Web site | Publication | Discord | Telegram

Associate with QuillAudits :


continue reading