Hackers steal more than $15 million from the DeFi protocol Inverse Finance

ETH-based lending protocol Inverse Finance was targeted by a hack this week. The breach resulted in a loss of $15.6 million worth of cryptocurrencies. That is, more than R$ 72 million at the current price.

The team behind the protocol confirmed the attack on its Twitter account last Saturday (2). According to the team, the attack was the result of intensive manipulation in the price of the INV token:

This morning Inverse Finance’s money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH , WBTC, & YFI

— Inverse+ (@InverseFinance) April 2, 2022

As you can see in the chart of native token INV, on April 2, the price was around $378. Minutes later, there was a jump to around $570. So, a “pump” of around 50%. . Then the token price plummeted to $271, down 52%.

INV Price Chart – Source: CoinMarketCap

Attack details

According to blockchain security firm PeckShield, the Inverse Finance attacker took advantage of a vulnerability in a Keep3r price oracle that the company used to track token prices.

The exploit allowed the hacker to “spoof” the protocol. He inflated INV prices and used the asset as collateral in the Anchor Protocol market.

Also according to the company’s report on the case, the hacker needed to “invest” for the attack to be successful. More precisely, it had to deposit 901 ETH (more than $3.15 million) to carry out the attack.

The funds came from the cryptocurrency mixer, Tornado Cash, which is typically used to move cryptocurrencies without leaving a trace.

Afterwards, the attacker allegedly injected the funds into various trading pairs on the decentralized SushiSwap (DeFi) platform, inflating the INV price to the Keep3r oracle. In addition, the hacker also transferred most of the stolen assets to the service’s address.

On April 3rd, the team presented a plan to deal with the aftermath of the attack and return the affected funds.

“We reiterate our invitation to the person(s) behind the price manipulation to get in touch and discuss a generous reward for returning borrowed funds. We are also inviting interested community members to help us identify those responsible.”