CoinClear

Hundred Finance

1.8/10

Compound fork exploited for $7M via a known vulnerability — failed to implement a well-documented security fix, now effectively dead.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Hundred Finance launched as a multi-chain Compound V2 fork, deployed on Ethereum, Arbitrum, Optimism, Fantom, Gnosis Chain, and other networks. The protocol provided standard lending/borrowing functionality using Compound's battle-tested codebase, targeting chains where lending options were limited. Hundred positioned itself as a "go-to" lending protocol for newer L2s and alternative L1s.

In April 2023, Hundred Finance on Optimism was exploited for approximately $7.4 million through an "empty market" attack — a well-known vulnerability in Compound V2 forks where an attacker manipulates the exchange rate of an empty (or near-empty) lending market by donating tokens directly to the contract, artificially inflating the exchange rate and then exploiting the rounding error to drain funds.

The critical failure was not just the exploit itself but the fact that the empty market vulnerability was well-documented and widely known. Multiple security researchers had published detailed analyses of this attack vector, and other Compound forks had already been exploited using the same technique. Hundred Finance failed to implement the known mitigation — seeding markets at deployment to prevent exchange rate manipulation.

The protocol is effectively defunct following the exploit, with negligible TVL and no meaningful recovery.

Smart Contracts

Compound V2 Fork

Hundred Finance's contracts are a standard Compound V2 fork with minimal modifications. The base Compound V2 code is well-audited and battle-tested. However, Compound V2 forks carry a known set of vulnerabilities when deployed without proper initialization — the empty market attack being the most prominent.

Unpatched Known Vulnerability

The empty market vulnerability in Compound V2 forks was identified and publicized before Hundred Finance's Optimism deployment. The fix is straightforward: seed each lending market with a small initial deposit at deployment to prevent exchange rate manipulation. Hundred Finance did not implement this fix, a failure of basic security diligence.

Multi-Chain Deployment Risk

Deploying across many chains without adequate security review per deployment increases risk. The Optimism exploit demonstrated that a vulnerability on one chain deployment does not guarantee other deployments are safe — or that known issues have been addressed on each chain.

Security

The Empty Market Exploit ($7.4M)

The April 2023 attack on Hundred Finance's Optimism deployment used a well-documented attack pattern:

  1. The attacker found an empty lending market (no deposits) on Hundred Finance Optimism.
  2. They donated tokens directly to the market contract, manipulating the internal exchange rate.
  3. The inflated exchange rate created a rounding error in share calculations.
  4. The attacker exploited this rounding error to borrow far more than their collateral was worth, draining $7.4 million from the protocol.

This attack was not novel. The same vulnerability had been exploited on multiple other Compound V2 forks, and security firms had published detailed mitigation guides. Hundred Finance's failure to implement the known fix is inexcusable.

Failure to Learn from Others

By April 2023, the empty market attack on Compound V2 forks was one of the most well-documented vulnerabilities in DeFi. Protocols like Midas Capital and Onyx Protocol had already been exploited using identical techniques. The security community had published detailed write-ups, and the fix was trivially simple. Hundred Finance's failure to implement this fix represents a critical failure of security awareness.

No Recovery

Following the exploit, Hundred Finance did not meaningfully recover. The team's credibility was destroyed by the failure to implement a well-known security fix. User funds were lost without adequate compensation.

Risk Management

Absent Risk Controls

Hundred Finance lacked basic risk management practices:

  • No market seeding: The simplest prevention for the empty market attack was not implemented.
  • No monitoring: Automated monitoring could have detected the attack's unusual transactions.
  • No supply caps: Proper supply and borrow caps could have limited damage.
  • No security awareness process: A basic review of known Compound V2 fork vulnerabilities would have identified the risk.

Incompetent Deployment

Deploying a Compound V2 fork on a new chain without checking for the empty market vulnerability is not an unlucky oversight — it is fundamental incompetence. The vulnerability was documented, the fix was known, and the team failed to implement it.

Adoption

Defunct

Hundred Finance is effectively dead. TVL is negligible across all remaining deployments. No significant user activity exists. The protocol serves as another cautionary tale about the risks of lazy Compound forks.

Pre-Exploit Status

Even before the exploit, Hundred Finance had modest adoption — typically $10-50M TVL across all chains. The protocol never achieved meaningful scale, competing against better-funded and more carefully managed lending protocols.

Tokenomics

HND Token

The HND token has collapsed to near-zero value following the exploit. With no meaningful protocol activity, governance power, or revenue, the token retains no utility or investment thesis.

Dead Token Economics

HND emission schedules, farming programs, and governance mechanisms are irrelevant for a defunct protocol. Any remaining HND liquidity is purely speculative.

Risk Factors

  • PROTOCOL IS EFFECTIVELY DEFUNCT. Do not deposit funds.
  • $7.4M exploit on Optimism using a well-known, easily preventable vulnerability.
  • Demonstrated incompetence in failing to implement a documented security fix.
  • No meaningful recovery or credible path to rebuilding.
  • HND token is effectively worthless.
  • Remaining deployments on other chains may carry unpatched vulnerabilities.
  • Any interaction with Hundred Finance carries extreme and unjustifiable risk.

Conclusion

Hundred Finance's story is both simpler and more damning than Cream Finance's. Cream at least pushed boundaries with novel (if reckless) collateral types. Hundred Finance was exploited by a well-known vulnerability with a well-known fix that the team simply failed to implement. The $7.4 million lost on Optimism was entirely preventable.

The 1.8 overall score reflects a protocol that demonstrated critical incompetence in security practices and has no viable path to recovery. The security score of 2 and risk management score of 2 are generous given the circumstances. Hundred Finance is a cautionary tale specifically for teams that fork established protocols without understanding or addressing their known vulnerabilities.

The lesson is stark: forking battle-tested code does not make your protocol secure. You must also fork the security practices, risk management, and operational diligence that made the original protocol safe.

Sources