Header Ads Widget

POST ADS1

Hackers stole more than $15 million in an attack on Inverse Finance's web-based project

Hackers stole more than $15 million in an attack on Inverse Finance's web-based project

On April 2, Inverse Finance's banding project reported a hacking attack that stole $15.6 million in assets. The protocol team promised to compensate users for their losses.

This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, YFI - Inverse+ (@InverseFinance) April 2, 2022

"One of Inverse Finance's markets, Anchor, was subjected to a capital-intensive manipulation of the INV/ETH price oracle on SushiSwap this morning, causing INV quotes to spike. This allowed the attacker to borrow $15.6 million in DOLA, ETH, WBTC and YFI," the project team wrote.

According to PeckShield, the attacker took advantage of a vulnerability in the Keep3r price oracle, which Inverse Finance uses to track token prices. The exploit allowed the hacker to "cheat" the protocol - he overquoted INV and used the asset as collateral in the Anchor Protocol market.

2/ The hack is made possible due to the price oracle manipulation bug so that when the INV (with highly manipulated price) is used as collateral to drain assets from @InverseFinance. pic.twitter.com/hDQG55XU5f - PeckShield Inc. (@peckshield) April 2, 2022

The company noted that the hacker needed to deposit 901 ETH (over $3.15 million) to carry out the attack. The funds came from a Tornado Cash mixer. The attacker also transferred most of the stolen assets to the service address.

As of this writing, the hacker's address is nearly empty;

Inverse Finance team suspended all borrowing operations on Anchor Protocol marketplace. The developers have asked the hacker to return the stolen assets for a fee;

A proposal to compensate the affected users will be submitted to the DAO behind the project;

As a reminder, in March 2022, hackers attacked the Axie Infinity blockchain game's Ronin sidechain. The attackers took out assets worth a total of $625 million.

Post a Comment

0 Comments

POST ADS2