Ethereum-based lending protocol Inverse Finance (INV) said Saturday that it suffered from an exploit, with an attacker netting $15.6 million worth of stolen cryptocurrency.
According to Inverse, the attacker targeted its Anchor (ANC) money market – artificially manipulating token prices to borrow loans against extremely low collateral.
This is the third multi-million dollar hack of a decentralized finance (DeFi) protocol to make headlines this week, and it underscores the increasingly sophisticated techniques being levied by attackers. On Tuesday the gaming-focused Ronin network announced a loss of more than $625 million in crypto and then two days later lending protocol Ola Finance said it was exploited for $3.6 million.
According to blockchain security firm PeckShield, the Inverse attacker took advantage of a vulnerability in a Keep3r price oracle Inverse uses to track token prices. The attacker tricked the oracle into thinking that the price of Inverse’s INV token was extraordinarily high, and then took out multi-million-dollar loans on Anchor using the inflated INV as collateral.
The attack was notably well-financed; in order to pull it off, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash, which is used to disburse crypto without leaving a clear trail. The attacker then injected the mystery funds into several trading pairs on the decentralized exchange SushiSwap – inflating the price of INV in the eyes of the Keep3r price oracle.
With the price of INV sufficiently high, the attacker then took out INV-backed loans on Anchor before arbitrageurs brought the price of INV back down to normal levels.
A representative from PeckShield noted to CoinDesk that the attack was high-risk, since the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV fell back to normal levels before the attacker took out the loans.
Altogether, the attacker managed to run away with 1,588 ETH, 94 WBTC, 39 YFI and 3,999,669 DOLA. The attacker has cycled most of the funds back through Tornado Cash – meaning it’s difficult to know where the funds will end up – but 73.5 ETH (about $250,000) remains in the attacker’s original Ethereum wallet.
Inverse said in its announcement that it has temporarily paused all borrowing on Anchor, and a representative for the protocol told CoinDesk that it is working with Chainlink to build a new INV oracle.
Inverse also announced that it plans to make a proposal to its decentralized autonomous organization (DAO) to “ensure all wallets impacted by the price manipulation are repaid 100%,” though without providing further details.