DeFi Lender Inverse Finance Exploited for $15.6M

It is the third multimillion-dollar crypto attack to make headlines in recent days.

AccessTimeIconApr 2, 2022 at 6:24 p.m. UTC
Updated Apr 4, 2022 at 7:26 p.m. UTC

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Ethereum-based lending protocol Inverse Finance (INV) said Saturday it suffered an exploit, with an attacker netting $15.6 million worth of stolen cryptocurrency.

According to Inverse, the attacker targeted its Anchor money market – artificially manipulating token prices to borrow loans against extremely low collateral.

This is the third multimillion-dollar hack of a decentralized finance (DeFi) protocol to make headlines this week, and it underscores the increasingly sophisticated techniques being levied by attackers. On Tuesday the gaming-focused Ronin Network announced a loss of more than $625 million in crypto. Two days later, lending protocol Ola Finance said it was exploited for $3.6 million.

According to blockchain security firm PeckShield, the Inverse attacker took advantage of a vulnerability in a Keep3r price oracle Inverse uses to track token prices. The attacker tricked the oracle into thinking that the price of Inverse’s INV token was extraordinarily high, and then took out multimillion-dollar loans on Anchor using the inflated INV as collateral.

The attack was notably well-financed; in order to pull it off, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash, which is used to disburse crypto without leaving a clear trail. The attacker then injected the mystery funds into several trading pairs on the decentralized exchange SushiSwap – inflating the price of INV in the eyes of the Keep3r price oracle.

With the price of INV sufficiently high, the attacker then took out INV-backed loans on Anchor before arbitrageurs brought the price of INV back down to normal levels.

A representative from PeckShield noted to CoinDesk that the attack was high-risk because the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV fell back to normal levels before the attacker took out the loans.

Altogether, the attacker managed to run away with 1,588 ETH, 94 WBTC, 39 YFI and 3,999,669 DOLA. The attacker has cycled most of the funds back through Tornado Cash – meaning it’s difficult to know where the funds will end up – but 73.5 ETH (about $250,000) remains in the attacker’s original Ethereum wallet.

Inverse said in its announcement it has temporarily paused all borrowing on Anchor, and a representative for the protocol told CoinDesk it is working with Chainlink to build a new INV oracle.

Inverse also announced it plans to make a proposal to its decentralized autonomous organization (DAO) to “ensure all wallets impacted by the price manipulation are repaid 100%,” though without providing further details.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Trending

1
CoinDesk - Unknown
First Mover Asia: How Traders Are Shorting Tether Stablecoins; Bitcoin Falls but Holds Above $20K

Hedge funds are increasingly betting against USDT in anticipation of it losing value amid concerns about the coin’s reserve backing and systemic risks; ether drops.

CoinDesk - Unknown
2
CoinDesk - Unknown
Hurry Up With Crypto ID Checks, FATF Tells Countries

After the potentially privacy-busting ‘travel rule’ for crypto transfers, global standard-setters at the Financial Action Task Force have their eyes on Defi, NFTs and unhosted wallets.

CoinDesk - Unknown
3
CoinDesk - Unknown
Messari Research: DCG’s Barry Silbert Wins From SEC ETF Stalemate, but Investors Lose

Messari’s Ryan Selkis says Grayscale's product is broken, but SEC leadership won't let them fix it.

CoinDesk - Unknown
4
CoinDesk - Unknown
OpenSea Reports Email Data Breach

An employee at an outside contractor tasked with managing OpenSea email newsletters copied the list of customer emails and shared it with an outside party, OpenSea says.

CoinDesk - Unknown