Ethereum-based DeFi lending protocol, Inverse Finance, suffered a flash loan attack, where attackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). As per Peckshield, the hacker attacked the platform via a price oracle manipulation.
In a span of two months decentralized finance (DeFi) lending protocol Inverse Finance suffered two major attacks. In April, Inverse Finance was exploited of $15.6 million after an attacker targeted its Anchor money market. The cyber criminal artificially skewed token prices to borrow loans against extremely low collateral.
1/ @InverseFinance was exploited in https://t.co/OaCemQfWug,
leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).— PeckShield Inc. (@peckshield) June 16, 2022
How Did The Hack Happen?
In yet another long list of DeFi exploits, Inverse Finance, that facilitates borrowing and lending of digital tokens, was hacked by manipulating the price of its LP tokens. Peckshield, a blockchain security company, said that a price oracle manipulation misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly conducted by the flash loan to alter the reserves in the pool.
According to the official blog post, soon after the attack, Inverse Finance temporarily paused borrowing and also removed its DOLA stablecoin from the money market saying that it is investigating the incident. The company specified that no user funds were at risk. Meanwhile, the company later confirmed that only the attacker’s deposited collateral was affected in the incident.
Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon.
— Inverse (@InverseFinance) June 16, 2022
As per PeckShield, the hacker in total gained 99,976 USDT and 53.2 WBTC from the attack. As soon as the hack was successful, the hackers laundered the cryptos via cryptocurrency mixer Tornado Cash, attempting to obfuscate the stolen digital assets. Peckshield also revealed that the attack was allegedly performed by a bot that front-runs the original hack.
The blockchain security company also revealed that the attack was started with an initial fund of 1 ETH which was withdrawn from Tornado Cash. Currently, 68 ETHs in illicit gains are resting in the hacker’s account. Soon after, another 1000 ETHs were deposited to Tornado Cash.
3/ The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool. pic.twitter.com/NxurMnMF7W
— PeckShield Inc. (@peckshield) June 16, 2022
Why is DeFi Prone to Attacks?
The crypto market has long been subject to attacks, and the decentralized finance (DeFi) market has been especially vulnerable to them. One of the biggest DeFi attacks happened in August 2021, when $600 million worth of various cryptos were stolen across multiple networks including Ethereum, Polygon, and Binance Smart Chain.
URGENT ANNOUNCEMENT : Redeem your XFTM
Our FTM collateral reserve has been exploited, there is still 1,820,012 FTM pool balance remaining currently for redemption.
Exploiter address:https://t.co/lVxIF3HMYI
We are looking into this right now, more details to follow immediately
— Fantastic Protocol (@fantasm_finance) March 9, 2022
In March 2022, Decentralized finance (DeFi) project, Fantasm Finance, was hacked resulting in a loss of nearly 1,007 ETH, estimated to be worth around $2.6 million at that time. According to a Chainalysis report,
“The attacks occur as DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike.”