The hacker responsible for stealing $7.4 million from decentralized finance (DeFi) protocol Hundred Finance has recently begun moving the stolen crypto assets, marking the end of a year-long period of inactivity.
On May 1, the hacker transferred approximately $800,000 worth of Ether (ETH) and Tether (USDT) from Curve’s decentralized exchange (DEX), where they had previously provided liquidity over a year ago.
After withdrawing the funds, the hacker converted USDT and other cryptocurrencies into ETH, resulting in a gain of over $1 million in ETH assets.
Currently, the hacker holds a total of $4.3 million in assets in their wallet, which includes various crypto assets such as Dai (DAI), Wrapped Ether, Frax, and Wrapped Bitcoin.
The security breach that allowed the hacker to steal the funds occurred on April 15, 2023, on the layer-2 network Optimism, according to a report from blockchain security firm CertiK. The attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, enabling them to withdraw more tokens than were originally deposited.
This type of attack, known as a flash loan attack in the DeFi world, involves borrowing large amounts of funds without any collateral from a lending platform and using them to manipulate the price of crypto on DeFi platforms. In the case of the Hundred Finance hack, the attacker took out substantial loans based on a falsified exchange rate.
Hundred Finance had previously experienced another exploit in 2022 on the Gnosis Chain, where a reentrancy attack resulted in a loss of $6 million as the protocol’s liquidity was drained.
Despite the prevalence of flash loan attacks in recent years, April 2024 saw a significant decrease in losses from this type of hack. According to CertiK’s report, flash loan attacks only accounted for $129,000 in losses for the month, with the largest incident causing $55,000 in damages. This marks the lowest amount lost to flash loan attacks since February 2022.
Overall, losses from crypto hacks also decreased in April, as reported by security company PeckShield. Only $60 million was lost to hacks during the month, a sharp decline from the $360 million and $187 million losses recorded in February and March, respectively.