‘Inverse Finance’ Exploited Again in $1.2 Million Flash Loan Attack

‘Inverse Finance’ Exploited Again in $1.2 Million Flash Loan Attack
‘Inverse Finance’ Exploited Again in $1.2 Million Flash Loan Attack

Inverse Finance, a decentralised lending protocol built on Ethereum, has lost over US$1.2 million in the industry’s latest DeFi hack:

To make matters worse, this is the second such incident for Inverse Finance after US$15.6 million was stolen in an exploit just three months ago.

Flash Loan Attack

Flash loans are DeFi-specific crypto loans in which large amounts of capital can be borrowed with little collateral, provided the loan is paid back within the same transaction.

While typically used by traders, hackers have demonstrated success in being able to trick a protocol’s smart contract into manipulating prices and then taking over the liquidity pool’s assets.

This is a so-called “flash loan attack”, a technique utilised by the exploiter in this latest incident, confirmed by security firm PeckShield:

3/ The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool. pic.twitter.com/NxurMnMF7W

— PeckShield Inc. (@peckshield) June 16, 2022

On-chain data reveals that the culprit flash-borrowed 27,000 wrapped bitcoin from lending protocol Aave to conduct the attack. The funds were subsequently routed through swap service Curve for various stablecoins before being used to remove DOLA, a stablecoin, from Inverse Finance pools.

CoinDesk - Unknown
Evidence of the flash loans. Source: Etherscan

In total, the exploiters managed to steal more than 53 bitcoin, worth US$1.1 million, and 10,000 tether (USDT). As a result, Inverse implemented a temporary pause on its lending:

Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon.

— Inverse+ (@InverseFinance) June 16, 2022

Since the exploit, an address tagged “Inverse Finance Exploiter” has apparently been sent 900 ETH, worth around US$1 million, to Tornado Cash, a privacy mixer often used when attackers wish to conceal their funds.

‘Generous Bounty’ Offered

In a post-mortem, Inverse Finance encouraged the person(s) behind the incident to return the funds for a “generous bounty”. And to mitigate the risk of further incidents, it added that it had retained the services of security experts to not only further understand the breach, but also to prevent further such instances in the future.

The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.

Read More

Write a comment

Your email address will not be published. All fields are required