DeFi Lender Inverse Finance Exploited for $15.6M

It is the third multimillion-dollar crypto attack to make headlines in recent days.

Apr 2, 2022 at 6:24 p.m. UTC
Updated Apr 4, 2022 at 7:26 p.m. UTC

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Ethereum-based lending protocol Inverse Finance (INV) said Saturday it suffered an exploit, with an attacker netting $15.6 million worth of stolen cryptocurrency.

According to Inverse, the attacker targeted its Anchor money market – artificially manipulating token prices to borrow loans against extremely low collateral.

This is the third multimillion-dollar hack of a decentralized finance (DeFi) protocol to make headlines this week, and it underscores the increasingly sophisticated techniques being levied by attackers. On Tuesday the gaming-focused Ronin Network announced a loss of more than $625 million in crypto. Two days later, lending protocol Ola Finance said it was exploited for $3.6 million.

According to blockchain security firm PeckShield, the Inverse attacker took advantage of a vulnerability in a Keep3r price oracle Inverse uses to track token prices. The attacker tricked the oracle into thinking that the price of Inverse’s INV token was extraordinarily high, and then took out multimillion-dollar loans on Anchor using the inflated INV as collateral.

The attack was notably well-financed; in order to pull it off, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash, which is used to disburse crypto without leaving a clear trail. The attacker then injected the mystery funds into several trading pairs on the decentralized exchange SushiSwap – inflating the price of INV in the eyes of the Keep3r price oracle.

With the price of INV sufficiently high, the attacker then took out INV-backed loans on Anchor before arbitrageurs brought the price of INV back down to normal levels.

A representative from PeckShield noted to CoinDesk that the attack was high-risk because the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV fell back to normal levels before the attacker took out the loans.

Altogether, the attacker managed to run away with 1,588 ETH, 94 WBTC, 39 YFI and 3,999,669 DOLA. The attacker has cycled most of the funds back through Tornado Cash – meaning it’s difficult to know where the funds will end up – but 73.5 ETH (about $250,000) remains in the attacker’s original Ethereum wallet.

Inverse said in its announcement it has temporarily paused all borrowing on Anchor, and a representative for the protocol told CoinDesk it is working with Chainlink to build a new INV oracle.

Inverse also announced it plans to make a proposal to its decentralized autonomous organization (DAO) to “ensure all wallets impacted by the price manipulation are repaid 100%,” though without providing further details.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Trending

1
CoinDesk - Unknown
Sequoia's Guide to Surviving the 2022 Bear Market

Venture capitalists have gotten increasingly frantic over the last few months.

Venture capitalists have gotten increasingly frantic over the last few months.

CoinDesk - Unknown
2
CoinDesk - Unknown
NFT Art Museums Are a Good Idea

The metaverse turns galleries global, and helps fund the arts. This article is part of “Metaverse Week."

The metaverse turns galleries global, and helps fund the arts. This article is part of “Metaverse Week."

CoinDesk - Unknown
3
CoinDesk - Unknown
How the US Can Establish Itself as a Crypto Leader

Regulators have an opportunity to map out thoughtful, strategic policy on stablecoins and beyond.

Regulators have an opportunity to map out thoughtful, strategic policy on stablecoins and beyond.

CoinDesk - Unknown
4
CoinDesk - Unknown
No, the UK Is Not Going to Make USDC and USDT Legal Tender

For “legalize” read “regulate.”

For “legalize” read “regulate.”

CoinDesk - Unknown