The DeFi Inverse Finance protocol is reversed and loses 15 Million

Hackers don’t take weekends off – Since the emergence of decentralized finance (DeFi) at the end of 2020, not a week has gone by without a protocol being the target of an attack. For once, the attack we are going to talk about today took place over the weekend, to believe that hackers never take a break.

$15 million stolen from Inverse Finance

Reverse Finance is a decentralized finance protocol offering a savings and borrowing service on Ethereum. In parallel, the protocol is at the origin of the stablecoin Dola.

Saturday, April 2, the blockchain analytics firm peck shield notified the protocol that a suspicious transaction had been detected.

Tweet announcing an attack in progress on Inverse Finance
Tweet announcing an attack in progress on Inverse Finance – Source: Twitter.

It did not take very long before the thesis of the attack was validated.

Thus, the attacker succeeded in stealing the equivalent of $15 million in cryptocurrenciesbroken down as follows:

  • 1588ETH;
  • 94WBTC;
  • 4M DOLA;
  • 39.3 YFI.

>> Afraid of a flaw in your favorite DeFi protocol? Sign up on PrimeXBT (affiliate link). <<

New oracle manipulation attack

For once, the modus operandi used by the attacker is not very innovative. Indeed, he led a so-called attack by oracle manipulation. The objective of such an attack is to artificially manipulate the price of a cryptocurrency in order to deceive a protocol.

The case of the Inverse Finance attack took place in 3 main stages:

  • The attacker withdrew 901 ETH from Tornado Cash and used 500 to buy INV tokens on Sushiswap;
  • The massive purchase of these tokens artificially inflated the price of INV;
  • The attacker deposited his INV tokens to borrow ETH on Inverse Finance. So, thanks to his artificial price inflation, the attacker was able to borrow $15.6 million worth of ETH by depositing just $644,000 worth of INV tokens.

The loan was possible, because the smart contract of Inverse Finance retrieves the prices of the various tokens via the TWAP oracle offered by the DEX Sushiswap.

Unsurprisingly, the protocol Inverse Finance has never been audited. Moreover, as pointed out by many Internet users, it is extremely dangerous to rely on a single source of data to feed your smart contract.

Obviously, once the attack was finalized, the attacker hastened to pass part of the funds through the Tornado Cash mixing protocol in order to cover his tracks.

For their part, the Inverse Finance teams are exploring the various solutions available to them for setting up a compensation plan.

“We are considering several methods to return the funds to the people concerned, including working with partners of Inverse Finance. »

Inverse Finance Statement

Recently, it was the Ronin network bridge that was the target of an attack. In this case, the striker was able to get away with an impressive loot of $600 million.

Hacks are unfortunate hazards but not inevitable… Play it safe and register now on the PrimeXBT platform. In addition, you benefit from a bonus of up to $7,000 on your first deposit thanks to our code 50DEPJDC (affiliate link, see conditions on the official site).

We would love to say thanks to the writer of this write-up for this remarkable web content

The DeFi Inverse Finance protocol is reversed and loses 15 Million

We have our social media pages here and other pages on related topics here.