Yet another protocol in the DeFi segment, Inverse Finance, has been attacked for the second time in less than three months. Analysts of PeckShield shared details of the attack vector and tracked the stolen funds.
Inverse Finance DeFi protocol suffers $1.2 million hack
Per the statement shared by leading cybersecurity team PeckShield, Inverse Finance, an open-source protocol for lending/borrowing of crypto assets, was attacked today, June 16, 2022.
1/ @InverseFinance was exploited in https://t.co/OaCemQfWug,— PeckShield Inc. (@peckshield) June 16, 2022
leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).
To initiate the attack, the hackers utilized price oracles' manipulation. The oracles calculate LP asset prices using data about the amount of assets in this or that liquidity pool.
For this manipulation, attackers leveraged Aave's (AAVE) flash loan in Curve Finance (CRV) and borrowed Inverse Finance's asset, DOLA, at an extremely low price. Then, DOLA was exchanged to USDT to repay the initial loan.
As a result, hackers managed to move 1,000 Ethers to Tornado Cash transaction obfuscating service. Also, 68 ETH sit in the attacker's account.
Bots behind large-scale attack?
The Inverse Finance team confirmed that the protocol was attacked; all lending/borrowing operations are halted as the internal investigation is underway.
Also, PeckShield revealed that the hack may have been performed by a bot that front-runs the "original attack." However, DeFi veteran Banteg, contributor of Yearn.Finance, highlights that the bot would have never cashed out the money so quickly.
As covered by U.Today previously, April's attack on Inverse Finance resulted in $15.6 million lost due to the malicious inflation of INV token's price.