DeFi: Over a million dollars stolen from Inverse Finance

Only two months after losing $15.6 million in a price oracle manipulation hack, Inverse Finance was hit with another instant credit exploit, this time with attackers fleeing with $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). Read the article if you want to learn more.

According to PeckShield, the attacker exploited a flaw in the Keep3r price oracle, which Inverse Finance relies on to track token prices. By overquoting INV and utilizing the asset as collateral in the Anchor System marketplace, the hacker was able to “cheat” the protocol.

Inverse Finance is a DeFi system based on Ethereum, and a flash loan is a sort of cryptocurrency loan that is often borrowed and returned in a single transaction. Oracles publish external pricing data.

What has been stolen

According to blockchain statistics, the intrusion occurred just after 11:00 a.m. GMT. The missing monies were in the form of ETH, WBTC, and DAI. According to further blockchain data, part of the stolen ETH was routed to Tornado Cash, a major transaction mixer on the Ethereum network.

All borrowing activities on the Anchor Protocol marketplace were halted by the Inverse Finance team. Also, the developers have requested that the hacker restore the stolen assets in exchange for a reward. A proposal to reimburse impacted customers for their losses will be offered to the DAO behind the initiative.

As a reminder, hackers targeted the Ronin sidechain of the blockchain game Axie Infinity in March 2022. The assailants stole assets totaling $625 million.

The second round?

However, it is not the first hacker attack on Inverse Finance. Previously, in April 2022, Inverse Finance’s lending protocol was hacked, with an attacker stealing $1.2 million in cryptocurrency. According to PeckShield, the project’s losses might reach that amount.

The hacker exploited an immediate loan to manipulate a pricing oracle that estimates the value of LP tokens based on asset balances in the liquidity pool, according to the business.

The hacker extracted 53 BTC and 100,000 USDT from the protocol. Indeed, the connected address had 68 ETH left. He liquidated the remaining assets on the decentralized exchange Uniswap and sent the proceeds to the Ethereum mixer Tornado Cash.

In reaction to the attack, Inverse Finance ceased borrowing immediately and pulled their stablecoin DOLA from the financial markets while the event was examined, indicating that user funds were not in danger.

However, you can always use bit4you trading platform services, such as crypto trading and exchanging directly on your phone or website. Increase your proficiency in cryptocurrency with bit4you Academy and trade more effectively. Do not hesitate to jump into your crypto journey train today and test comfortable crypto trading!

Valentyna Bereza, Team bit4you.