cdn – Is there a risk to hosting service if hot-potato site is using cloudflare?

If set up correctly and securely the actual site is not significantly vulnerable to a DDOS attack, although depending on the way the site is written and how dedicated the attackers are there may be some limited exposure to the final site if the DDDOS attack can find a way to do the attack through Cloudflare.

A point of Cloudflare is that they can’t discover the actual site via DNS settings – they would need to find it an alternative way because the DNS points to Cloudflare – which would be hard but might be exposed through scouring the web or if your site can be hacked and the final IP exposed. You can greatly limit the attack vector by only allowing Cloudflare IPs to connect to your webserver using some kind of firewall.