Yearn, Hundred, Ocean Life: The Cost of Misconfigured Logic and Missing Storage Updates
These five exploits aren’t about zero-days; they’re about sloppy accounting, unsafe upgrade patterns, and fragile assumptions under flash loan pressure. From Yearn’s hardcoded lender misconfig to Hundred’s wei-level exchange rate trick, every hack here was predictable if not outright preventable. These aren’t edge cases; they’re the byproduct of protocols trusting internal state more than actual behavior. This is how $20M+ disappeared and what should’ve stopped it.
Hacks Analysis
Ocean Life | Amount Lost: $11K
Ocean Life Token on BNB chain has been exploited for $11K. The attacker initially borrowed wrapped BNB using flash loans and swapped these funds to get $OLIFE tokens. The exploit contract had a vulnerability where the total balance state did not get updated internally before an external call was made. The private reflectFee function had decreased the total value to 969 WBNB worth of OLIFE token. However the balance of the pool did not get updated correctly and the attacker was able to swap 1,001 WBNB and make a profit of 34 WBNB.
An attack on Hundred Finance resulted in a loss of $7M. The hacker used flash loans and donated 500 WBTC to Hundred Finance’s CErc20 Contract, with the intention to manipulate the exchange rate of Hundred WBTC (hWBTC). The attack contract deposited the WBTC funds into child contracts, which are utilized to mint hWBTC. Subsequently, the child contract redeemed nearly all of the WBTC funds, except for 2 wei, causing the total supply of hWBTC to be 2 wei. The attacker then donated 500 WBTC to Hundred’s CErc20 Contract, which inflated the exchange rate to nearly 1 wei hWBTC = 250 WBTC. Taking advantage of this inflated rate, the attacker borrowed 1022 WETH with 2 wei of underlying assets. After borrowing the WETH funds, the attacker was able to withdrew the 500 WBTC that was previously donated to Hundred’s CErc20 Contract due to a rounding error, and eventually repaid the flash loan.
Yield Finance suffered an exploit this morning, resulting in losses potentially over $11 million due to a misconfiguration in its yUSDT contract. The attacker flash loaned DAI, USDC, and USDT and used some of the funds to repay other people’s debts on the Aave v1 Lending Pool, lowering the priority of the Aave pool within the Yearn contract. The Yearn contract contained a hard-coded lender contract address for Fulcrum which used iUSDC as the underlying asset instead of iUSDT. This caused the Yield contract to miscalculate the yield-to-deposit ratio. The attacker was able to mint an excessive amount of yUSDT by depositing a small amount of USDT. The attacker then swapped yUSDT to DAO and ETH.
MetaPoint on BNB Chain suffers $920K hack due to a vulnerability in their deposit contract function. The exploit happened because every time a user deposited $POT to the pool, a new smart contract was generated and $META tokens were deposited to it. The new smart contract had a public approve function that allowed unrestricted access to the deposited tokens, enabling the attacker to drain them. MetaPoint team announced the hack and suspended all operations.
Press enter or click to view image in full size
One of the exploited smart contracts with the approve function(): 0x086f403461478F6aE7b81d9654f96f65AbDfAC29
Paribus | Amount Lost: $20K
An attack on Paribus resulted in the loss of approximately $20,000. The attacker borrowed 200 ETH and 30,000 USDT using a flash loan and deposited the tokens into Paribus protocol. The deposited funds were used as a collateral to borrow additional ETH from the pETH pool. The attacker exploited a reentrancy vulnerability during the pToken redeem function. According to the Paribus Post-Mortem update, the nonReentrant modifier failed to update the storage prior to the transfer. The attacker was able to borrow additional funds while the deposited pETH balance remained unchanged.
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.
