Inverse Finance (INV), an Ethereum-based lending system, announced on Saturday that it had been hacked and that an attacker had made off with $15.6 million in cryptocurrencies.
According to Inverse, the attacker went after the Anchor money market, intentionally distorting token prices to borrow money with very little collateral.
This is the third multimillion-dollar hack of decentralized finance (DeFi) technology to hit the news this week, highlighting attackers’ increasingly sophisticated tactics. On Tuesday, the gaming-focused Ronin Network declared a crypto loss of almost $625 million. Ola Finance, a lending protocol, announced two days later that it had been hacked for $3.6 million.
The Inverse attacker took use of a vulnerability in a Keep3r pricing oracle that Inverse employs to track token prices, according to blockchain security firm PeckShield. The attacker deceived the oracle into believing that the cost of Inverse’s INV token was extremely high and then used the inflated INV as collateral for multimillion-dollar loans on Anchor. Read more; DEFI FAQS
The hack was well-funded; to carry it off, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash, a cryptocurrency that allows users to send money without leaving a trail. The mysterious funds were subsequently pumped into multiple trading pairings on the decentralized exchange SushiSwap, increasing the price of INV in the view of the Keep3r price oracle.
The attacker then took out INV-backed loans on Anchor once the price of INV had risen sufficiently before arbitrageurs reduced the cost of INV back down to normal levels.
According to a PeckShield official, the attack was high-risk because the $3 million worth of crypto used to deceive the pricing oracle would have been completely lost if the price of INV had returned to normal levels before the attacker took out the loans. Read also; WHAT IS DEFI?
The attacker made off with 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA. Most of the funds have been cycled back through Tornado Cash, making it difficult to predict where they will wind up, although 73.5 ETH (about $250,000) remains in the attacker’s initial Ethereum wallet.
Inverse said that all borrowing on Anchor had been temporarily halted. A spokesman for the protocol told CoinDesk that it is working with Chainlink to develop a new INV oracle.
The inverse also stated that it intends to propose its decentralized autonomous organization (DAO) to “guarantee that all wallets affected by the price manipulation are compensated 100 percent,” though it did not elaborate.