Audit log

Every state-changing event for Agave & Hundred Finance Exploit: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-01 17:46:48Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,640,068

   sig

   24LcsnTVcGQb…3x4jNjxecopyexplorer ↗

   hash

   DGHrNzTBvA35…34zchCCncopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (19789 B) ▸

   {"actor":"system:backfill","investigation_id":"b32973c0-d789-4a2a-a464-7b8096e497c6","kind":"publish","page_slug":"agave-hundred-finance","published_at":"2026-06-01T17:46:47.999Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Agave & Hundred Finance Exploit","sections":[{"content":"On March 15, 2022, both Agave DAO and Hundred Finance were simultaneously drained via a reentrancy attack on Gnosis Chain. The attacker stole approximately 2,116 ETH ($5.5 million) from Agave and 2,363 ETH ($6.2 million) from Hundred Finance, for a combined loss of roughly $11.7 million. The attack was initiated with a flash loan of approximately $2 million USDC sourced from SushiSwap on Gnosis Chain. The attacker deposited the USDC as collateral, then exploited the reentrancy window to borrow from multiple lending pools—hUSDC, hWBTC, hWETH, and hxDAI—before debt balances were updated. Stolen assets included Wrapped ETH, Wrapped BTC, Chainlink, USDC, Gnosis (GNO), and Wrapped xDAI. Both protocols paused their contracts within hours of discovering the attack. Stolen funds from both protocols were bridged to Ethereum mainnet and deposited into Tornado Cash in multiple batches within hours of the theft.","heading":"March 2022 Gnosis Chain Reentrancy Exploit","severity":"critical","sources":[{"credibility":2,"name":"Rekt News: Agave DAO & Hundred Finance","type":"news_article","url":"https://rekt.news/agave-hundred-rekt"},{"credibility":2,"name":"Immunefi: Hack Analysis — Hundred Finance Heist, March 2022","type":"research","url":"https://medium.com/immunefi/a-poc-of-the-hundred-finance-heist-4121f23a098"},{"credibility":1,"name":"The Block: DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million","type":"news_article","url":"https://www.theblock.co/post/137932/defi-protocols-agave-and-hundred-finance-exploited-on-gnosis-chain-for-11-million"},{"credibility":1,"name":"CoinDesk: DeFi Lending Protocol Agave's AGVE Plunges Over 20% Amid Exploit Investigation","type":"news_article","url":"https://www.coindesk.com/business/2022/03/15/defi-lending-protocol-agave-plunges-over-20-amid-exploit-investigation"}]},{"content":"The root cause of the March 2022 attack was a combination of a checks-effects-interactions ordering flaw and the non-standard behavior of Gnosis Chain's officially bridged tokens. The Gnosis Chain bridge issues ERC-677-compatible tokens that include an onTokenTransfer() callback hook: when tokens are sent to a contract address, the token contract automatically invokes the recipient's callback function before state is finalized. Both Agave (an Aave v2 fork) and Hundred Finance (a Compound fork) had borrow functions that sent tokens to the borrower before updating the borrower's debt balance. When the attacker's malicious contract received borrowed tokens, the onTokenTransfer() callback fired, re-entering the borrow function and allowing additional borrowing against already-pledged collateral before the debt register was updated. This recursive borrow pattern allowed the attacker to drain far more value than the deposited collateral should have permitted. The shared fork lineage of both protocols—Aave and Compound respectively—meant that neither had been adapted to handle the post-transfer callback behavior specific to Gnosis Chain's bridged token set, creating an identical attack surface across both deployments. Security researchers at Immunefi, SlowMist, and SharkTeam all independently confirmed that compliance with the checks-effects-interactions pattern would have prevented the attack.","heading":"ERC-677 Token Callback Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"Immunefi: Hack Analysis — Hundred Finance Heist, March 2022","type":"research","url":"https://medium.com/immunefi/a-poc-of-the-hundred-finance-heist-4121f23a098"},{"credibility":2,"name":"SlowMist: Another Day, Another Reentrancy Attack","type":"research","url":"https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4"},{"credibility":2,"name":"SharkTeam: Flash Loan & Reentrancy Attack Analysis (March 17, 2022)","type":"research","url":"https://www.sharkteam.org/report/analysis/20220317001A_en.pdf"},{"credibility":3,"name":"Coinmonks: Classic opening for a reentrancy attack — Agave DAO and Hundred Finance Heist","type":"research","url":"https://medium.com/coinmonks/classic-opening-for-a-reentrancy-attack-agave-dao-and-hundred-finance-heist-4334f495aee9"}]},{"content":"On April 15, 2023, Hundred Finance suffered a second major exploit—this time on Optimism (an Ethereum Layer 2)—resulting in losses of approximately $7.4 million. This attack used a different mechanism: the attacker exploited an empty hWBTC market by donating wrapped Bitcoin directly to the contract, which manipulated the exchange rate between the ERC-20 token and its corresponding hToken (interest-bearing receipt). A rounding error in the redeemUnderlying function allowed the attacker to redeem more underlying assets than their hToken balance strictly entitled them to. By iterating this process across multiple lending pools, the attacker drained approximately 1,030 ETH, 1.27 million USDC, 1.11 million USDT, 843,788 DAI, 457,286 FRAX, and additional tokens including Wrapped BTC and SNX. The vulnerability was again rooted in Hundred Finance's Compound fork lineage, as the underlying code had not been adequately hardened against empty-market exchange-rate manipulation. The HND governance token fell approximately 46% in value following the announcement. Hundred Finance's team publicly disclosed the breach within hours, paused all markets across chains, and attempted direct communication with the attacker in hopes of negotiating a bounty return. No funds were recovered.","heading":"April 2023 Hundred Finance Optimism Exploit","severity":"critical","sources":[{"credibility":2,"name":"Halborn: Explained — The Hundred Finance Hack (April 2023)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-hundred-finance-hack-april-2023"},{"credibility":2,"name":"Decrypt: Hacker Exploits Hundred Finance Protocol In $7.4 Million Heist","type":"news_article","url":"https://decrypt.co/136918/hacker-exploits-hundred-finance-protocol-in-7-4-million-heist"},{"credibility":2,"name":"ImmuneByte: Hundred Finance Hack — April 15, 2023 Detailed Analysis","type":"research","url":"https://immunebytes.com/blog/hundred-finance-hack-april-15-2023-detailed-analysis/"},{"credibility":1,"name":"Cointelegraph: Hundred Finance loses $7 million in Optimism hack","type":"news_article","url":"https://cointelegraph.com/news/hundred-finance-loses-7-million-in-optimism-hack"}]},{"content":"Following the April 2023 Optimism exploit and the failure to recover stolen funds, Hundred Finance's DAO conducted a governance vote on whether to shut down the protocol. The shutdown proposal passed with approximately 99% approval on the Snapshot governance platform. The project formally ceased operations on August 9, 2023. Remaining treasury funds were directed toward a compensation plan for hack victims, and a claims process was established for any assets that might be recovered in the future. As of the date of this investigation, imminent return of stolen funds did not appear forthcoming. The hacker was reported to have moved the stolen $7.4 million from the April 2023 exploit approximately one year later via Curve Finance. Agave DAO continued operating on Gnosis Chain in reduced capacity following the March 2022 exploit. In October 2023, Agave enabled sDAI as a new collateral type. However, the protocol ultimately wound down: its DAO entered a phase-out process and formally closed in approximately March 2024, with a token redemption portal made available to remaining AGVE holders at agavefinance.eth.limo/redeem/.","heading":"Protocol Shutdown and Aftermath","severity":"high","sources":[{"credibility":2,"name":"Web3 Is Going Great: Hundred Finance shuts down after hacks","type":"news_article","url":"https://www.web3isgoinggreat.com/single/hundred-finance-shuts-down"},{"credibility":2,"name":"Hundred Finance X post: Shutdown vote result","type":"official","url":"https://x.com/HundredFinance/status/1689358397898887168"},{"credibility":2,"name":"DL News: Hundred Finance's $7.4 million stolen last year starts to move","type":"news_article","url":"https://www.dlnews.com/articles/defi/hundred-finance-hacker-moves-crypto-from-curve-finance/"},{"credibility":1,"name":"Cointelegraph: Hundred Finance hacker moves stolen assets a year after $7M exploit","type":"news_article","url":"https://cointelegraph.com/news/hundred-finance-hacker-moves-assets-year-after-exploit"}]},{"content":"Both Agave and Hundred Finance represent a recurring pattern in DeFi: protocols that fork battle-tested codebases (Aave v2 and Compound v2, respectively) and deploy them to chains with different token standards without fully auditing chain-specific behavior differences. The ERC-677 onTokenTransfer() callback had been a known feature of Gnosis Chain's bridged tokens prior to the March 2022 exploit, but neither protocol had adapted its borrow logic to account for it. The concurrent exploitation of both protocols by what appears to have been a coordinated attack—using separate attacker addresses but identical technique—suggests the exploiter identified the shared vulnerability across both Gnosis Chain deployments simultaneously. Security researchers cited the August 2021 CREAM Finance reentrancy attack ($18.8 million) as an earlier precedent using similar mechanics. The April 2023 Hundred Finance attack on Optimism further demonstrated that a protocol's fork lineage can harbor distinct but compounding vulnerability classes: the exchange-rate manipulation vector used in 2023 also traces to the Compound v2 codebase pattern and has since been replicated against other Compound forks. BlockSec has documented this attack type as catalyzing a broader wave of precision-related exploits against vulnerable forked protocols.","heading":"Fork Risk and Shared Vulnerability Lineage","severity":"high","sources":[{"credibility":2,"name":"BlockSec: Hundred Finance Incident — Catalyzing the Wave of Precision-Related Exploits in Vulnerable Forked Protocols","type":"research","url":"https://blocksec.com/blog/6-hundred-finance-incident-catalyzing-the-wave-of-precision-related-exploits-in-vulnerable-forked-protocols"},{"credibility":2,"name":"Halborn: Explained — The Hundred Finance Hack (April 2023)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-hundred-finance-hack-april-2023"},{"credibility":2,"name":"Vidma: The Agave and Hundred Finance Hack — A $11.7M Reentrancy Exploit","type":"research","url":"https://www.vidma.io/blog/the-agave-and-hundred-finance-hack-a-11-7m-reentrancy-exploit"},{"credibility":2,"name":"AMBCrypto: How these two DeFi protocols fell prey to $11 million reentrancy attack","type":"news_article","url":"https://ambcrypto.com/how-these-two-defi-protocols-fell-prey-to-11-million-reentrancy-attack/"}]},{"content":"The AGVE token fell over 20% on March 15, 2022, the day of the initial exploit. The HND token fell approximately 46% following the April 2023 exploit announcement. Individual users suffered direct financial losses; one documented case reported by Fortune magazine involved a crypto investor who lost $225,000 in the Agave hack. A GnosisDAO governance thread debated whether the DAO should contribute funds to compensate victims of the Hundred Finance exploit, given that Gnosis Chain's non-standard bridged token design was a contributing factor—though no formal GnosisDAO restitution was ultimately reported. The total estimated losses across both protocols and both exploit events amount to approximately $19.1 million ($11.7 million in March 2022 and $7.4 million in April 2023).","heading":"Market and User Impact","severity":"high","sources":[{"credibility":1,"name":"Fortune: Crypto investor lost $225,000 in Agave DeFi hack","type":"news_article","url":"https://fortune.com/2022/03/16/crypto-investor-scam-agave-defi/"},{"credibility":2,"name":"Gnosis Forum: Should GnosisDAO respond to the Hundred Finance exploit?","type":"community_report","url":"https://forum.gnosis.io/t/should-gnosisdao-respond-to-the-hundred-finance-exploit-in-the-following-manner/4259"},{"credibility":2,"name":"Web3 Is Going Great: Hundred Finance and Agave Finance are both exploited for a collective $12 million","type":"news_article","url":"https://www.web3isgoinggreat.com/single/hundred-finance-and-agave-finance-are-both-exploited-for-a-collective-12-million"}]}],"sources_used":[{"name":"Rekt News: Agave DAO & Hundred Finance","type":"news_article","url":"https://rekt.news/agave-hundred-rekt"},{"name":"Immunefi: Hack Analysis — Hundred Finance Heist, March 2022","type":"research","url":"https://medium.com/immunefi/a-poc-of-the-hundred-finance-heist-4121f23a098"},{"name":"The Block: DeFi protocols Agave and Hundred Finance exploited on Gnosis Chain for $11 million","type":"news_article","url":"https://www.theblock.co/post/137932/defi-protocols-agave-and-hundred-finance-exploited-on-gnosis-chain-for-11-million"},{"name":"CoinDesk: DeFi Lending Protocol Agave's AGVE Plunges Over 20% Amid Exploit Investigation","type":"news_article","url":"https://www.coindesk.com/business/2022/03/15/defi-lending-protocol-agave-plunges-over-20-amid-exploit-investigation"},{"name":"SlowMist: Another Day, Another Reentrancy Attack","type":"research","url":"https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4"},{"name":"SharkTeam: Flash Loan & Reentrancy Attack Analysis (March 17, 2022)","type":"research","url":"https://www.sharkteam.org/report/analysis/20220317001A_en.pdf"},{"name":"Halborn: Explained — The Hundred Finance Hack (April 2023)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-hundred-finance-hack-april-2023"},{"name":"Decrypt: Hacker Exploits Hundred Finance Protocol In $7.4 Million Heist","type":"news_article","url":"https://decrypt.co/136918/hacker-exploits-hundred-finance-protocol-in-7-4-million-heist"},{"name":"Cointelegraph: Hundred Finance loses $7 million in Optimism hack","type":"news_article","url":"https://cointelegraph.com/news/hundred-finance-loses-7-million-in-optimism-hack"},{"name":"ImmuneByte: Hundred Finance Hack — April 15, 2023 Detailed Analysis","type":"research","url":"https://immunebytes.com/blog/hundred-finance-hack-april-15-2023-detailed-analysis/"},{"name":"Web3 Is Going Great: Hundred Finance shuts down after hacks","type":"news_article","url":"https://www.web3isgoinggreat.com/single/hundred-finance-shuts-down"},{"name":"Web3 Is Going Great: Hundred Finance and Agave Finance are both exploited for a collective $12 million","type":"news_article","url":"https://www.web3isgoinggreat.com/single/hundred-finance-and-agave-finance-are-both-exploited-for-a-collective-12-million"},{"name":"Cointelegraph: Hundred Finance hacker moves stolen assets a year after $7M exploit","type":"news_article","url":"https://cointelegraph.com/news/hundred-finance-hacker-moves-assets-year-after-exploit"},{"name":"DL News: Hundred Finance's $7.4 million stolen last year starts to move","type":"news_article","url":"https://www.dlnews.com/articles/defi/hundred-finance-hacker-moves-crypto-from-curve-finance/"},{"name":"BlockSec: Hundred Finance Incident — Catalyzing the Wave of Precision-Related Exploits","type":"research","url":"https://blocksec.com/blog/6-hundred-finance-incident-catalyzing-the-wave-of-precision-related-exploits-in-vulnerable-forked-protocols"},{"name":"Fortune: Crypto investor lost $225,000 in Agave DeFi hack","type":"news_article","url":"https://fortune.com/2022/03/16/crypto-investor-scam-agave-defi/"},{"name":"Gnosis Forum: Should GnosisDAO respond to the Hundred Finance exploit?","type":"community_report","url":"https://forum.gnosis.io/t/should-gnosisdao-respond-to-the-hundred-finance-exploit-in-the-following-manner/4259"},{"name":"Hundred Finance X post: Shutdown vote result","type":"official","url":"https://x.com/HundredFinance/status/1689358397898887168"},{"name":"Vidma: The Agave and Hundred Finance Hack — A $11.7M Reentrancy Exploit","type":"research","url":"https://www.vidma.io/blog/the-agave-and-hundred-finance-hack-a-11-7m-reentrancy-exploit"},{"name":"AMBCrypto: How these two DeFi protocols fell prey to $11 million reentrancy attack","type":"news_article","url":"https://ambcrypto.com/how-these-two-defi-protocols-fell-prey-to-11-million-reentrancy-attack/"}],"summary":"On March 15, 2022, Agave (an Aave fork on Gnosis Chain) and Hundred Finance (a Compound fork deployed on Gnosis Chain) were simultaneously exploited via a reentrancy attack that abused post-transfer callback hooks in Gnosis Chain's non-standard ERC-677 bridged tokens, resulting in combined losses of approximately $11.7 million. Hundred Finance suffered a second major exploit in April 2023 on Optimism ($7.4 million), after which the protocol voted to shut down permanently in August 2023. Agave continued operating in diminished capacity before its DAO formally wound down in early 2024.","timeline":[{"date":"2021-03-11","event":"Agave Finance introduces itself publicly as a money market lending and borrowing protocol on the xDai (Gnosis) network, forked from Aave.","source":"Agave Finance Medium","source_url":"https://agavefinance.medium.com/"},{"date":"2022-03-15","event":"Agave DAO and Hundred Finance are simultaneously exploited via a reentrancy attack on Gnosis Chain abusing ERC-677 onTokenTransfer() callbacks. Agave loses ~2,116 ETH ($5.5M); Hundred Finance loses ~2,363 ETH ($6.2M). Combined loss: ~$11.7M. Both protocols pause contracts.","source":"Rekt News / The Block / CoinDesk","source_url":"https://rekt.news/agave-hundred-rekt"},{"date":"2022-03-15","event":"Stolen funds from both exploits are bridged to Ethereum mainnet and deposited into Tornado Cash mixer within hours of the attack.","source":"SlowMist / Rekt News","source_url":"https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4"},{"date":"2022-03-17","event":"SharkTeam publishes a technical flash loan and reentrancy attack analysis of the Hundred Finance and Agave exploit.","source":"SharkTeam","source_url":"https://www.sharkteam.org/report/analysis/20220317001A_en.pdf"},{"date":"2023-04-15","event":"Hundred Finance is exploited a second time, this time on Optimism (Ethereum L2), via exchange-rate manipulation on an empty hWBTC market combined with a rounding error. Loss: ~$7.4M. HND token falls ~46%. Protocol pauses all chain deployments.","source":"Cointelegraph / Decrypt / Halborn","source_url":"https://cointelegraph.com/news/hundred-finance-loses-7-million-in-optimism-hack"},{"date":"2023-08-09","event":"Hundred Finance governance votes to shut down the protocol with ~99% approval on Snapshot. Remaining treasury funds directed toward victim compensation. Protocol operations cease.","source":"Web3 Is Going Great / Hundred Finance X","source_url":"https://www.web3isgoinggreat.com/single/hundred-finance-shuts-down"},{"date":"2024-03-25","event":"Agave DAO formally closes down after completing its phase-out process. AGVE token holders directed to a redemption portal at agavefinance.eth.limo/redeem/.","source":"Agave Finance website / GitHub phase-out-tooling","source_url":"https://agave.finance/"},{"date":"2024-04-01","event":"The attacker who stole $7.4M from Hundred Finance in April 2023 begins moving the stolen assets approximately one year after the exploit, routing them through Curve Finance.","source":"DL News / Cointelegraph","source_url":"https://www.dlnews.com/articles/defi/hundred-finance-hacker-moves-crypto-from-curve-finance/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision f3c09cfb-1f92-4256-b935-3902889b75aacopy