Just two months after shedding $15.6 million in a worth oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that noticed the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC).
Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a sort of crypto loan that’s often borrowed and returned inside a single transaction. Oracles report exterior pricing info.
The newest exploit labored by utilizing a flash loan to control the value oracle for a liquidity supplier (LP) token utilized by the protocol’s cash market software. This allowed the attacker to borrow a bigger quantity of the protocol’s stablecoin, Dola (DOLA), than the quantity of collateral they posted, letting them pocket the distinction.
The attack comes simply over two months after the same April 2 exploit, which noticed attackers artificially manipulate collateralized token costs via a worth oracle to empty funds utilizing the inflated costs.
In response to the attack, Inverse Finance quickly paused borrowing and eliminated DOLA from the cash market whereas it investigated the incident, saying no person funds have been in danger.
Inverse has quickly paused borrows following an incident this morning the place DOLA was faraway from our cash market, Frontier. We are investigating the incident nonetheless no person funds have been taken or have been in danger. We are investigating and can present extra particulars quickly.
— Inverse+ (@InverseFinance) June 16, 2022
It later confirmed that solely the attacker’s deposited collateral was affected in the incident and solely incurred a debt to itself because of the stolen DOLA. It inspired the attacker to return the funds in return for a “generous bounty.”
Related: Attackers loot $5M from Osmosis in LP exploit, $2M returned quickly after
In complete, the attackers gained 99,976 USDT and 53.2 wBTC from the attack, swapping them to ETH earlier than sending all of it via the cryptocurrency mixer Tornado Cash, making an attempt to obfuscate the ill-gotten beneficial properties.
The earlier attack in April noticed attackers make off with $15.6 million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA.
DeFi market Deus Finance suffered from the same exploit in March, with attackers manipulating a worth pairing inside an oracle resulting in a acquire of 200,000 Dai (DAI) and 1101.8 ETH, price over $3 million on the time.
Beanstalk Farms, a credit-based stablecoin protocol, misplaced all $182 million price of collateral in a flash loan attack brought on by two malicious governance proposals, which in the top, drained all funds from the protocol.
How the most recent attack went down
Blockchain safety agency BlockSec analyzed that the attacker borrowed 27,000 wBTC in a flash loan, swapping a small quantity to the LP token used to publish collateral in Inverse Finance so customers can borrow crypto belongings.
The remaining wBTC was swapped to USDT, inflicting the value of the attacker’s collateralized LP token to rise considerably in the eyes of the value oracle. With the worth of those LP tokens now price much more because of the worth rise, the attacker borrowed a bigger quantity than standard of the DOLA stablecoin.
The worth of the DOLA was price way more than the deposited collateral, so the attacker swapped the DOLA to USDT, and the sooner wBTC to USDT swap was reversed to repay the unique flash loan.