Just two months after losing $ 15.6 million on oracle price manipulation exploits, Inverse Finance has again been affected. flash loans the exploitation that made the attackers earn $ 1.26 million in Tether (USDT) and Bitcoin Wrapped (wBTC).
Inverse Finance is an Ethereum -based decentralized finance protocol (DeFi) and flash loans are a type of crypto loan that are typically borrowed and returned in a single transaction. Oracles reports price information externally.
The most recent exploit was done by using flash lending to cheat the price oracle for liquidity provider (LP) tokens used by protocol money market applications. This allows the attacker to borrow a larger amount of protocol stablecoin, Dola (DOLA), than the amount of collateral sent, in order to make a difference.
The attack came just over two months after the same April 2 exploitwhich saw the attackers artificially cheat the price of a guaranteed token through a price oracle to drain funds by using the rising price.
In response to the attack, Inverse Finance paused for a while and removed the DOLA from the money market for a while investigate the incidentsaid no user funds were at risk.
The Inverse has temporarily paused its debt after this morning’s incident DOLA was removed from the money market, Frontier. We investigated the incident, but no user funds were taken or there was any risk. We are currently investigating and will provide more details soon.
– Inverse+ (@InverseFinance) June 16, 2022
It’s later confirmed if only the collateral deposited by the attacker was affected in the incident and only owed it to himself because of the stolen DOLA. That encouraging the attacker to recover the funds in return for a “generous gift”.
related: The attackers stole $ 5M from Osmosis in the LP exploitation, $ 2M back shortly
In total, the attackers earned 99.976 USDT and 53.2 wBTC from the attack, switching to ETH before sending it all through the Tornado Cash cryptocurrency mixer, trying to obfuscate the bad results.
Former attack In April, the attackers got $ 15.6 million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA.
DeFi Markets Deus Finance suffered from similar exploitation in Marchwith the attacker cheating the price pair in the oracle leads to a gain of 200,000 Dai (DAI) and 1101.8 ETH, valued at more than $ 3 million at the time.
Beanstalk Farms, a credit -based stablecoin protocol, lost all $ 182 million in collateral the flash loan attack was caused by two malicious governance proposals, which in the end, drained all funds from the protocol.
How the latest attack is down
Blockchain security company BlockSec analyzed if the attacker borrows 27,000 wBTC with a flash loan, it converts a small amount into an LP token that is used to send collateral in Inverse Finance so that the user can borrow the crypto asset.
WBTC is still there changed to USDT, causing the price of the attacker’s collateralized LP token to rise significantly in the eyes of the price oracle. With the value of these LP tokens now higher due to price increases, attackers are borrowing larger amounts than the usual DOLA stablecoin.
The value of the DOLA is much higher than the secured bond, so the attacker changes the DOLA to USDT, and swaps the wBTC into USDT before canceling to pay off the original flash debt.
[ad2]
