Inverse Finance on June 16 suffered another attack, with an oracle price manipulation exploit allowing a hacker to steal about $1.3 million and resulting in a loss of $5.8 million for the protocol.
Blockchain security company PeckShield revealed the details of the incident in a series of tweets.
4/ The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account https://t.co/lEA5jmsGXZ… and 1000 ETHs have been deposited to @TornadoCash pic.twitter.com/fkhCdkAyvM
— PeckShield Inc. (@peckshield) June 16, 2022
This recent attack makes it the second attack on the DeFi protocol in the space of two months. Earlier in April, Inverse Finance suffered an attack that led to the loss of $15.6 million.
A comprehensive report of the attack was later published on Inverse Finance’s website.
The report explains that the exploit happened on the yvcrv3crypto market, which used Chainlink price data instead of Curve protocol’s internal exchange rate.
Inverse Finance said the price discrepancy allowed the hacker to take a flash loan of 27,000 Wrapped Bitcoin (wBTC) — a modified version of Bitcoin, which is equal in price, but can be used on the Ethereum (ETH) network.
The attacker then traded the wBTC into the tricrypto pool, leading to a surge in the price of the yvcrv3crypto LP token on the price oracle and allowing the hacker to borrow DOLA — Inverse FInance’s stablecoin — against that collateral on Inverse FInance’s Frontier platform.
PeckShield, using Etherscan data, said in a tweet that 68 ETH from the stolen amount is still with the hacker and 1,000 ETH have been deposited to Tornado Cash, a cryptocurrency mixer that mixes different streams of potentially identifiable cryptocurrency to increase anonymity and make transactions harder to trace.
Inverse FInance’ said no user-deposited collateral was affected by the hack but noted that the Frontier Fed, Inverse Finance DAO incurred $5.8 million in bad DOLA debt. This is in addition to the roughly $3.8 million DOLA debt incurred in the April hack.
The DeFi protocol added that since no individual users were directly impacted by the incident, no changes are required to its make-good plan for the users affected by the April incident.
Inverse Finance promises a range of actions
Inverse FInance detailed a range of safety measures, which include plans to recover the funds and ensure additional safety on the DeFi platform.
This included an open appeal to the hacker to return the funds for “a generous bounty.” In addition, the DAO promised to make data of the attack available to anyone who is willing to help in the recovery of the funds for a reward.
Inverse FInance stated that it acquired the services of RiskDAO, a team of security experts, to look into the attack and is also hiring additional security operations staff.
Lastly, Inverse FInance has paused borrowing on all assets on the Frontier platform but expects borrowing against assets with Chainlink-only feeds as well as INV to resume shortly.