Inverse Finance suffers another attack; Hacker steals $1.3 million, causes $5.8 million protocol loss
On June 16th, Inverse Finance was hit by another attack, with Oracle’s price-fixing exploit allowing hackers to steal about $ 1.3 million, resulting in a protocol loss of $ 5.8 million.
Blockchain security company Peck Shield revealed the details of the incident in a series of tweets.
4 / Initial funding (1 ETH) to start the hack @TornadoCash..Currently, 68 ETH of illegal profits still remains in the hacker’s account https://t.co/lEA5jmsGXZ… and 1000 ETH @TornadoCash pic.twitter.com/fkhCdkAyvM
— PeckShield Inc. (@peckshield) June 16, 2022
This recent attack is the second attack on the DeFi protocol in two months. In early April, Inverse Finance was attacked, resulting in a loss of $ 15.6 million.
Exploit
Comprehensive report An overview of the attack was later published on the Inverse Finance website.
The report explains that the exploit occurred in the yvcrv3crypto market. In this market, Chainlink price data was used instead of the Curve protocol internal exchange rate.
According to Inverse Finance, price discrepancies allowed hackers to take advantage of 27,000 wrapped Bitcoin (wBTC) flash loans. This is a modified version of Bitcoin that has the same price but can be used on the Ethereum (ETH) network.
Next, the attacker trades wBTC to the tricrypto pool, soars the price of Oracle’s yvcrv3crypto LP token, and hackers borrow DOLA (Inverse FInance’s stablecoin) for collateral on Inverse FInance’s frontier platform. Allowed.
Using Ethereum data, PeckShield tweeted that the stolen amount of 68 ETH is still in the hacker, and 1,000 ETH is a variety of potentially identifiable cryptocurrencies to increase anonymity and make trading difficult. Trace said that it is deposited in Tornado Cash, a cryptocurrency mixer that mixes various streams.
Inverse FInance’said that the collateral deposited by users was not affected by the hack, but Frontier Federated Bank, Inverse Finance DAO, said it had a bad DOLA debt of $ 5.8 million. This adds to the approximately $ 3.8 million DOLA debt incurred in the April hack.
The DeFi protocol added that individual users are not directly affected by the incident, so there is no need to change the plans for users affected by the April incident.
Inverse Finance promises a variety of actions
Inverse FInance detailed various security measures, including plans to collect funds and ensure additional security on the DeFi platform.
This included openly appealing to hackers to return the funds for a “generous bounty.” In addition, DAO has promised to make the attack data available to anyone who is willing to help collect funds for rewards.
Inverse FInance said it has acquired the services of RiskDAO, a team of security experts, to investigate attacks and hire additional security operations staff.
Finally, Inverse FInance has suspended borrowing of all assets on the Frontier platform, but expects to resume borrowing for assets using Chainlink-only feeds and INVs soon.
