Ethereum-based open-source protocol Inverse Finance suffered another hack which led to the loss of over $1.2 million worth of cryptocurrencies. The exploit is the platform’s second attack in two months.
Inverse Finance Exploited Again
In a tweet thread by blockchain security firm PeckShield on Thursday (June 16, 2022), the attack on Inverse Finance was possible due to a price oracle manipulation. While PeckShield said the hacker gained around $1.26 million from the exploit, the firm noted that Inverse Finance’s losses could be higher.
The attacker in question used a flash loan to exploit the protocol’s price oracle. Flash loans are a special type of on-chain lending in the crypto space where a user can borrow funds from a lending pool without posting collateral but the loan must be repaid in the same transaction.
Flash loans are usually used to obtain funds to take advantage of arbitrage opportunities in the decentralized finance ecosystem. Arbitrage is when a token has two quoted prices on two different marketplaces and thus allows traders to buy cheaply on one platform and quickly sell for a profit on another marketplace.
These loans, can, however, be put to malicious use by exploiters as has been the case in multiple instances. Such attacks often involve using the stash of borrowed funds to unbalance the liquidity pool on DeFi protocols.
On-chain data shows the exploiter first borrowed 27,000 wrapped bitcoin (wBTC) worth about $580 million.
This borrowed sum was used to manipulate price feeds on the protocol, skewing the balance of the platform’s liquidity. The ensuing result was that the exploiter was able to drain 53 BTC and 100,000 tether (USDT) which amounted to a total of $1.2 million.
However, the lending protocol earlier said that users’ funds were safe, adding that the protocol halted borrowing to investigate the matter.
“Inverse has temporarily paused borrowing following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon.”
DeFi’s Flash Loan Problems
The latest exploit comes two months after hackers drained over $15 million worth of cryptocurrency from Inverse Finance. According to a report by crypto.news, the attacker exploited a vulnerability in the protocol’s Keep3r price oracle to carry out the attack.
Meanwhile, there has been an increase in flash loan attacks on DeFi protocols in recent times. Beanstalk Farms lost $76 million worth of crypto to hackers in April, with the platform later offering 10% of the stolen funds to the attackers if they returned the money.
Agave and Hundred Finance also lost cryptocurrency worth $11 million after attackers implemented a flash loan exploit. The attack happened 24 hours after hackers stole $3 million in DIA and Ether from DeFi protocol Deus Finance.
Later in April, Deus Finance was again exploited, with hackers stealing over $13 million.