Third in a week: Yet another ETH based DeFi protocol suffers a $15.6 million exploit

Third in a week: Yet another ETH based DeFi protocol suffers a $15.6 million exploit

news image

Another day, another DeFi hack as this popular Ethereum based lending protocol suffered a multi-million dollar exploit. Inverse Finance, a lending-focused decentralized finance protocol, lost more than a $15 million loss.

Sad day for DeFi 

Another prominent decentralized finance protocol has fallen victim to a crippling security breach. Inverse Finance, a stablecoin protocol that focuses on capital efficient yield generation, got drained in an exploit on 2 April. It lead to a loss of $15.6 million worth of digital assets.

PeckShield, a blockchain analytics firm, first flagged this situation.

Hi, @InverseFinance, you may want to take a look:

— PeckShield Inc. (@peckshield) April 2, 2022

The team acknowledged the situation in a Saturday morning tweet, posting: “We are currently addressing the situation please wait for an official announcement.” Similarly, posted on the Discord server for InverseDAO, the governing structure for the protocol.

Here’s what went down

PeckShield explained in a series of tweets that the hacker deposited 901 Ethereum to the protocol and used an oracle manipulation bug to manipulate the price of Inverse’s INV token. They then used INV as collateral to borrow assets and drain the protocol.

The hacker drained millions of dollars in YFI, WBTC, and Inverse’s own DOLA token from the protocol. Later, used decentralized exchanges such as Uniswap to trade the assets for Ethereum. Finally, the Ethereum wallet connected to the hacker siphoned 4,200 Ethereum worth around $14.6 million through Tornado Cash‘s transaction mixer to cover their traces.

4) The initial funds to launch the hack are withdrawn from @TornadoCash and most of the result gains are deposited to @TornadoCash. Currently 73.5 ETH still stays in the hacker’s account. We are actively monitoring this address for any movement.

— PeckShield Inc. (@peckshield) April 2, 2022

Further blockchain data indicated that some of the exploited ETH holdings were sent to Tornado Cash, a popular transaction mixer on the Ethereum network.

In the latest update on 4 April, the team addressed the users by stating:

“Update on our work to address yesterday’s price manipulation incident: we are modeling multiple paths for returning funds to those affected including working with Inverse partners.”

In additon, to inject some certainty post the exploit, the team’s twitter account asserted:

2. DOLA – the anti-fragile stablecoin – continues to maintain its USD peg using the DOLA Fed. No governance token gimmicks and no fiat injections required …

— Inverse+ (@InverseFinance) April 3, 2022

The Inverse team paused future borrows on its Anchor platform. Later, submitted a governance proposal to reimburse affected users. Needless to say, the native token directly affected by this unfortunate event.

INV plummeted in the hours since the hack. It’s down 17.1% on the day, trading at about $314. At the time of writing, the token suffered another 7% setback as it traded around the $318 mark. Looking at the bigger picture, three massive exploits in a matter of a week is no joke and is cause for concern.

Read More