Just two several weeks after losing $15.six million inside a cost oracle manipulation exploit, Inverse Finance has again been hit having a flash loan exploit that saw the attackers make served by $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC).
Inverse Finance is definitely an Ethereum-based decentralized finance (DeFi) protocol along with a flash loan is a kind of crypto loan that’s usually lent and came back inside a single transaction. Oracles report outdoors prices information.
The most recent exploit labored using a flash loan to control the cost oracle for any liquidity provider (LP) token utilized by the protocol’s money market application. This permitted the attacker to gain access to a bigger quantity of the protocol’s stablecoin, Dola (DOLA), than the quantity of collateral they published, allowing them to pocket the main difference.
The attack comes approximately two several weeks following a similar April 2 exploit, which saw attackers artificially manipulate collateralized token prices via a cost oracle to empty funds while using inflated prices.
As a result of the attack, Inverse Finance temporarily stopped borrowing and removed DOLA in the money market although it investigated the incident, saying no thanks user funds were in danger.
Inverse has temporarily stopped borrows following an accidents today where DOLA was taken off our money market, Frontier. We’re investigating the incident however no user funds were taken or were in danger. We’re investigating and can provide additional information soon.
— Inverse+ (@InverseFinance) June 16, 2022
It later confirmed that just the attacker’s deposited collateral was affected within the incident and just incurred a personal debt to itself because of the stolen DOLA. It encouraged the attacker to come back the funds to acquire a “generous bounty.”
Related: Attackers loot $5M from Osmosis in LP exploit, $2M came back right after
As a whole, the attackers acquired 99,976 USDT and 53.2 wBTC in the attack, swapping these to ETH before delivering it throughout the cryptocurrency mixer Tornado Cash, trying to obfuscate the ill-become gains.
The prior attack in April saw attackers make served by $15.six million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA.
DeFi marketplace Deus Finance endured from the similar exploit in March, with attackers manipulating a cost pairing inside an oracle resulting in an increase of 200,000 Dai (DAI) and 1101.8 ETH, worth over $3 million at that time.
Beanstalk Farms, a credit-based stablecoin protocol, lost all $182 million price of collateral very quickly loan attack brought on by two malicious governance proposals, which within the finish, drained all funds in the protocol.
The way the latest attack went lower
Blockchain security firm BlockSec examined the attacker lent 27,000 wBTC very quickly loan, swapping a percentage towards the LP token accustomed to publish collateral in Inverse Finance so users can borrow crypto assets.
The rest of the wBTC was swapped to USDT, resulting in the cost from the attacker’s collateralized LP token to increase considerably within the eyes from the cost oracle. With the need for these LP tokens now worth much more because of the cost rise, the attacker lent a bigger amount than normal from the DOLA stablecoin.
The need for the DOLA was worth even more than the deposited collateral, therefore the attacker swapped the DOLA to USDT, and also the earlier wBTC to USDT swap was reversed to pay back the initial flash loan.
