Since the exploit of the Meter Passport bridge on the 5th of February and the subsequent use of their compromised assets on our protocol, the Hundred Finance community and team have been facing the impact of actions that left our first Moonriver deployment heavily undercollateralized. Now that Meter has released a post mortem of their exploit and we have had several days to discuss its interpretation of events and proposed compensation package internally and with their team, we on the Hundred Finance team would like to provide additional information as it relates to the situation faced by the Hundred Finance community in the form of our own post mortem released here on the forum. This will provide further context relevant to those whose deposits have been rendered non-recoverable on Moonriver, while also serving as a prelude to opening the floor to the discussion of any potential Hundred Finance-issued compensation package.
Summary of the Exploit
While we on the team disagree with several of the subjective points made within Meter’s post mortem blog post, it does nevertheless provide some explanation of the mechanism by which Hundred Finance’s Moonriver deployment was made a victim of their protocol’s hack. According to their analysis, the deposit method of the Meter Passport token bridge introduced a vulnerability in the minting process of their versions of native tokens such as ETH and BNB by making assumptions relating to the necessity of burning or locking said tokens. This vulnerability was used by the Meter Passport attacker in a series of transactions that drained assets held in Meter’s contracts on Ethereum, Binance Smart Chain, Moonriver and on their own Meter Network. These various tokens were then transferred and exchanged to ETH and BTC, with approximately “4.25 million USD” in value (at the time of the exploit) then deposited into Tornado Cash. It was specifically the ability to erroneously mint 30,000 BNB.bsc on Moonriver and subsequently sell them unimpeded for ETH on the same network that created the means of Hundred Finance’s exploitation.
When the Meter Passport attacker sold their 30,000 BNB.bsc on Moonriver, this action effectively collapsed the price of the asset on the network. In other contexts when an asset price declines on a particular exchange or network, arbitrage will usually occur (the buying of an asset on one market that diverges from another in order to sell it for a profit as quickly as possible) and an equilibrium will rapidly be re-established across all markets. The aggregate price across markets is that which Chainlink uses in order to serve the data used in managing Hundred Finance’s various lending and borrowing functions. As the Meter Passport had been drained of its assets in other markets, however, its bridge was paused and ceased to function as a route for arbitrage, leaving the “Moonriver BNB” token price isolated. As a result, actors were able to buy BNB.bsc for far less than its equivalent Chainlink price yet use it to collateralize loans at the Chainlink price that thus could vastly exceed the exchange value of the supplied assets.
Following Meter’s 11:21 pm UTC Tweet announcing that they had stopped bridge transactions while leaving their Moonriver BNB.bsc token unpaused, four separate accounts used the exploit outlined above to take out undercollateralized loans on Hundred Finance of a value of approximately $6.5m USD in MIM, ETH and FRAX. The first of these began illicitly withdrawing MIM approximately 2.5 hours after the Meter announcement, at 1:58 am UTC on February 6th. The last of the four withdrew FRAX at 12:04 pm UTC on the same day.
The four accounts in question are listed below in order of the chronology of their interactions with Hundred Finance. For the purpose of this post mortem we have named them Accounts A through D.
- 0xcB103319984513F557df2E8538A17cCbFD71adCa (Account A)
- 0xf4e03e85f354D00867806B61786474Bd570CAEca (Account B)
- 0xf74457825d23b99f5d88e03230956830a2275b4d (Account C)
- 0x01000A7916ff43155297f271E428a91311c80eE8 (Account D)
Our Response
The Hundred Finance dev team was made aware of the Meter Passport hack at 11:36 am on February 6th. In response, the process for pausing the BNB.bsc market was immediately begun, with the necessary team members able to gather and initiate the pause transaction by 12:15 pm. With the compromised BNB.bsc contracts now paused, we then immediately turned to assessing the situation in order to ensure no further funds were at risk.
Simultaneous with the risk assessment, members of the team also began attempts to recover the outstanding funds prior to their possible deposit into the Tornado Cash application. Thankfully, through the willingness of Accounts A, B and C to engage in negotiation, we were able to see to it that the MIM loan taken out by Account B was returned in full and the vast majority of those assets borrowed by A and C were also returned. This returned liquidity allowed the suppliers of more than $4 million USD in MIM and ETH to retrieve their funds. In regards to the manner of these returns, the Hundred Finance team did not have custody over the ETH and MIM that had been illegitimately removed and then returned to the protocol at any time. We were also not able to dictate which among Accounts A, B and C retained what proportion of the unreturned MIM, or when each Account would repay. The precise amount of outstanding MIM was minimized to the best of our ability in the interests of Hundred Finance users, though still subject to the actions of the accounts that had taken out BNB.bsc loans.
After the total return of illicitly borrowed ETH and taking into account the 1.9 million FRAX that was extracted by an account that to date we have been unable to reach and that has given no sign that they will return funds, the protocol and those supplying the relevant assets are currently faced with a shortfall of:
- FRAX(1,929,116)
- MIM (204,033)
- MOVR (121)
As of now, we believe it highly unlikely that Account D will return the FRAX they borrowed. The individual or group behind Account D not only carried out the malicious borrow using 100 ETH of pre-existing funds held in Tornado Cash, they also did so using a temporary “vanity address” (an address generated programmatically in order to appear more noteworthy) that we believe implies malignancy on their part. As we do not anticipate any further repayment transactions from Accounts A, B and C, as stated in the Meter post mortem this thus brings the total loss from the ripple effect of their exploit on Hundred Finance to a figure of $2.135 million.
Meter Compensation Package
The project behind Meter Passport, Meter.io, have set forth a compensation package for the victims of their protocol’s hack that includes Hundred Finance. This compensation will be calculated based on the over-minted BNB.bsc deposited into the protocol and currently held in the treasury multisig. This amount is 20,266.92 of the 30,000 overminted BNB.bsc on Moonriver, with “compensation calculated based on the impact of 338.8 ETH drained from the ETH-BNB.bsc pool on SushiSwap.” With the above compensation plan in mind, Meter will issue 38.8 PASS tokens per BNB issued on the Meter mainnet, with each PASS token representing 1 USD in total compensation.
With a 12-month vesting period included in the compensation package and the maximum amount obtainable a little over 786,320 USD equivalent value in the native Meter token, it is inevitable that there will remain a shortfall. Nevertheless, any funds received by the Hundred Finance treasury multisig as a result of the Meter compensation package will be considered those of the accounts impacted by the exploit on our platform, with distribution conducted on a pro rata basis (while accounting for transaction fees). As we have records of those affected and in what amounts, we will be able to handle distributions as soon as they become available, announcing their commencement through our usual channels as soon as we are able.
Invitation to Discuss Hundred Finance Compensation Package
As the compensation package proposed by Meter will be insufficient to cover the losses incurred by Hundred Finance users that have supplied the outstanding assets, we would like to invite those in the community who would like to discuss a compensation package issued by our own protocol to do so. As sympathies should lie with those who have lost access to their assets through no fault of their own, we would encourage them to be the first to voice their opinions here so that those who are not directly impacted are able to appreciate their situations prior to posing arguments that may not be in their direct interests. Incidentally, we on the team will endeavor to answer any questions that elaborate usefully on the situation as frankly as is possible.
We believe seven days is a reasonable and appropriately efficient discussion-stimulating timeframe in which to brainstorm any potential compensation package proposals. Therefore, should any proposal or proposals have achieved support among a body of our users, we on the team will then submit it/them for Snapshot voting by veHND holders on the 1st of March.
We would like to conclude by thanking our community for their patience and understanding during this difficult period and ask that throughout discussion of these topics, please retain empathy for the situations of others and an openness to perspectives that may differ from your own.
