Ethereum based DeFi protocol Inverse Finance [INV] revealed that an anonymous attacker has stolen $15.6 million worth of cryptocurrency. Detailing the incident, Blockchain security firm PeckShield, noted that the attacker exploited a vulnerability in a Keep3r price oracle which Inverse uses to track token prices.
Through a series of tweets, Peckshield experts summarised that the attacker manipulated the oracle into believing that the price of Inverse Finance’s INV token was unusually high, and then extracted multi-million-dollar loans on Anchor using the inflated INV token as collateral.
Drilling deeper, researchers at Peckshield observed that the attacker first withdrew 901 ETH [about $3 million] from Tornado Cash, cleverly removing any trail of its activity. The hacker then used DEXs such as SushiSwap to transfer the stolen assets which resulted in a sharp increase in the price of INV, thus tricking the Keep3r price oracle.
Inverse Finance’s “High Risk” Attack
Using the manipulated price of INV, the malicious actor then took out INV-backed loans on money market Anchor before arbitrageurs brought the price of INV back to normal levels. A representative from PeckShield called the attack a high risk due to the usage of $3 million worth of crypto to deceive the price oracle.
The attacker managed to remove 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA. Although its difficult to track where the funds will end up, Peckshield noted that 73.5 ETH [about $250,000) still remains in the attacker’s original Ethereum wallet.
Conceived in 2020, Inverse Finance is a suite of permissionless decentralized Finance [DeFi] tools that are said to be governed by Inverse DAO which is a decentralized autonomous organization running on the popular Ethereum blockchain.
Some of its major products include Anchor and DOLA. Anchor is nothing but a synthetic asset and a money market protocol that helps in facilitating capital-efficient lending and borrowing.
Inverse released a statement saying that it has temporarily halted all borrowing activities on Anchor, and is working with Chainlink to build a new INV oracle. The DeFi lender also announced that it plans to make a proposal to its decentralized autonomous organization [DAO] to “ensure all wallets impacted by the price manipulation are repaid 100%,” without providing any further details.