On April 2, Inverse Finance's banding project reported a hacking attack that stole $15.6 million in assets. The protocol team promised to compensate users for their losses.
This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, YFI - Inverse+ (@InverseFinance) April 2, 2022
"One of Inverse Finance's markets, Anchor, was subjected to a capital-intensive manipulation of the INV/ETH price oracle on SushiSwap this morning, causing INV quotes to spike. This allowed the attacker to borrow $15.6 million in DOLA, ETH, WBTC and YFI," the project team wrote.
According to PeckShield, the attacker took advantage of a vulnerability in the Keep3r price oracle, which Inverse Finance uses to track token prices. The exploit allowed the hacker to "cheat" the protocol - he overquoted INV and used the asset as collateral in the Anchor Protocol market.
2/ The hack is made possible due to the price oracle manipulation bug so that when the INV (with highly manipulated price) is used as collateral to drain assets from @InverseFinance. pic.twitter.com/hDQG55XU5f - PeckShield Inc. (@peckshield) April 2, 2022
The company noted that the hacker needed to deposit 901 ETH (over $3.15 million) to carry out the attack. The funds came from a Tornado Cash mixer. The attacker also transferred most of the stolen assets to the service address.
As of this writing, the hacker's address is nearly empty;
Inverse Finance team suspended all borrowing operations on Anchor Protocol marketplace. The developers have asked the hacker to return the stolen assets for a fee;
A proposal to compensate the affected users will be submitted to the DAO behind the project;
As a reminder, in March 2022, hackers attacked the Axie Infinity blockchain game's Ronin sidechain. The attackers took out assets worth a total of $625 million.
0 Comments