ethereum-bitcoin

More than $15 million stolen after hackers exploit DeFi platform Inverse Finance

An attack on decentralized finance (DeFi) protocol Inverse Finance led to the theft of more than $15 million in cryptocurrency, the company said on Saturday. 

The company wrote on Twitter that a hacker managed to manipulate its money market, Anchor, and increased the price of INV via Sushiswap – an open-source ecosystem of DeFi tools. 

INV is an Ethereum token that powers Inverse Finance, a decentralized platform used for lending, borrowing, and creating synthetic assets. 

The manipulation caused a sharp increase in the price of INV, allowing the hacker to borrow $15.6 million in the DOLA, ETH, WBTC and YFI cryptocurrencies against it. 

“The manipulation was not a flash loan attack and was unrelated to Inverse's smart contract or front end code. All future borrows on Anchor are temporarily paused,” the company said initially.

“The plan to be proposed to governance is to ensure all wallets impacted by the price manipulation are repaid 100%. We have multiple avenues for accomplishing this and will provide updates as the DAO discusses our options.”

The company added a message to the people behind the hack, telling them to reach out through Twitter or Discord to “discuss a generous bounty in exchange for returning the borrowed funds.”

By Sunday, the company said it was “modeling multiple paths for returning funds to those affected including working with Inverse partners.”

They took several measures to stabilize their market and reiterated their call for the hacker to contact them for a “generous” bounty. 

The company noted that the attack was first spotted by blockchain analysis firm PeckShield. PeckShield said the hack was made possible due to a price oracle manipulation that allowed the attacker to use the manipulated price of INV as collateral to drain assets from Inverse Finance.

Price surge

In a blog post on Monday, Inverse Finance confirmed PeckShield’s analysis which found that the attacker withdrew 901 ETH from Tornado Cash and made a series of trades primarily in the INV/DOLA pool on SushiSwap on Saturday morning. Tornado Cash is a cryptocurrency mixer that allows people to hide the origin of funds. 

The actions led to a temporary surge in the price of INV to $20,926, up from $TK. 

“The attacker staked newly acquired (and temporarily mis-priced) INV on Anchor as collateral, borrowed 1,588 ETH, 94 WBTC, 4MM DOLA, and 39 YFI. The attacker transferred the borrowed funds to a new wallet,” the company said. 

“After the INV price was corrected, the attacker’s INV collateral was liquidated. The attacker used a series of spam transactions to hide the true attack which removed on-chain arbitrage opportunities that would normally occur.”

The company said its primary focus was on making sure all of those affected – mainly those who have staked WBTC, ETH, YFI and DOLA on Anchor – are repaid. 

They expect it to take several weeks or months to repay those affected. The company added that the borrow markets on Anchor will be paused for “several days” as the revised INV oracle code is reviewed, tested and deployed. 

The hack follows several headline-grabbing DeFi attacks that took place over the last two weeks. 

Decentralized lending platform Ola Finance said it was hacked last Thursday, reporting that about $4.67 million in cryptocurrency was stolen. 

The attack on Ola Finance came just days after the Ronin Network announced that hackers stole more than $600 million worth of Ethereum and $25.5 million of US dollar-pegged stablecoin USDC. It is now considered one of the largest DeFi hacks to date.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.