On Saturday, Ethereum based crypto lending protocol Inverse Finance, disclosed that it had been hacked, with the attacker making off with $15.6 million in cryptocurrency. As per the project’s report, the hacker set his sights on the Anchor money market, rigging token prices to borrow money with very little collateral.
How Inverse Finance Lost Millions
PeckShield, a blockchain security firm, reports that the attacker spotted a vulnerability in a Keep3r price oracle used by Inverse to trail token prices.
The perpetrator acquired 94 WBTC, 39 YFI, 3,999,669 DOLA, and 1,588 ETH. On the other hand, the manipulation was not a flash loan scheme and has nothing to do with Inverse’s smart contracts or front-end technology. As a result, all further borrowing on Anchor was halted for the time being.
DeFi Hacks on the Rise
There have been a total of 84 DeFi exploits, according to cryptosec, with lost cash totaling around $2.4 billion at the time of the exploits.
Inverse Finance, founded in 2020, is a set of permissionless decentralized finance [DeFi] tools administered by Inverse DAO, a decentralized autonomous organization that operates on Ethereum’s blockchain.
This is the third mega attack on decentralized finance (DeFi) protocols to hit the headlines in one week, highlighting attackers’ incredibly sophisticated tactics. The console Ronin network also reported losses of $625 million on Tuesday, while Ola Finance announced that it was hacked, losing $3.6 million.
Hacker Risked $3M for the Attack to Succeed
Notably, the Inverse hack was well-funded for it to succeed. The assailant first withdrew 901 ETH (about $3 million) through Tornado Cash, a cryptocurrency that allows users to send money without leaving a trail. The mysterious monies were subsequently injected into various trading pairings on the decentralized exchange SushiSwap by the attacker.
According to a PeckShield official, the attempt was high-risk because the attacker would have completely lost the $3 million worth of crypto used to deceive the pricing oracle if the price of INV had returned to normal levels before the perpetrator took the loans.
Most of the funds were transferred to and fro through Tornado Cash, making it almost impossible to predict where they will wind up. However, 73.5 ETH (about $250,000) is still stored in the attacker’s initial Ethereum wallet. At the time of writing, the hacker’s address is devastated.
INV Paused all Lending
Inverse said that all borrowing on Anchor had been temporarily halted. A representative for the protocol told CoinDesk that the protocol is working with Chainlink to establish a new INV oracle.
Inverse also clarified that the attack was not a flash loan attack, and it wasn’t connected to either Inverse’s smart contract or front-end code.
Inverse also said it will propose its decentralized autonomous organization (DAO) to “guarantee all wallets impacted by the price manipulation are compensated 100 percent,” though it did not elaborate. Concurrently, the project invites price manipulators to contact one another and arrange bounties in exchange for borrowed money.