Hackers stole more than $15 million in attack on Inverse Finance lending project

On April 2, the lending project Inverse Finance reported a hacking attack in which assets worth $15.6 million were stolen. The protocol team pledged to reimburse users’ losses.

This morning Inverse Finance’s money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, & YFI

— Inverse+ (@InverseFinance) April 2, 2022

“This morning, one of Inverse Finance’s markets, Anchor, was subjected to a capital-intensive manipulation of the INV/ETH price oracle on SushiSwap, which led to a sharp rise in INV quotes. This allowed the attacker to borrow $15.6 million in DOLA, ETH, WBTC and YFI,” the project team wrote.

According to PeckShield, the attacker exploited a vulnerability in the Keep3r price oracle, which Inverse Finance uses to track token prices. The exploit allowed the hacker to “trick” the protocol — he inflated INV quotes and used the asset as collateral on the Anchor Protocol market.

2/ The hack is made possible due to the price oracle manipulation bug so that when the INV (with highly manipulated price) is used as collateral to drain assets from @InverseFinance. pic.twitter.com/hDQG55XU5f

— PeckShield Inc. (@peckshield) April 2, 2022

The attacker needed to deposit 901 ETH (over $3.15 million) to carry out the attack. The funds came from the Tornado Cash mixer. The attacker also transferred most of the stolen assets to the service’s address.

As of writing, the hacker’s address at 0x8b4c1083cd6aef062298e1fa900df9832c8351b3 is nearly drained.

The Inverse Finance team suspended all lending operations on the Anchor Protocol market. The developers have contacted the hacker requesting the return of the stolen assets for a reward.

One proposal to reimburse losses to affected users will be brought before the project’s decentralized autonomous organization (DAO) for consideration.

In March 2022, hackers attacked the Ronin sidechain of the Axie Infinity blockchain game. The attackers withdrew assets worth $625 million.

Read ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.