Categories: Crypto Freedom News

Inverse Finance exploited again for $1.2M in flash loan oracle attack

[ad_1]

Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC).

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information.

The latest exploit worked by using a flash loan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market application. This allowed the attacker to borrow a larger amount of the protocol’s stablecoin, Dola (DOLA), than the amount of collateral they posted, letting them pocket the difference.

The attack comes just over two months after a similar April 2 exploit, which saw attackers artificially manipulate collateralized token prices through a price oracle to drain funds using the inflated prices.

In response to the attack, Inverse Finance temporarily paused borrowing and removed DOLA from the money market while it investigated the incident, saying no user funds were at risk.

It later confirmed that only the attacker’s deposited collateral was affected in the incident and only incurred a debt to itself due to the stolen DOLA. It encouraged the attacker to return the funds in return for a “generous bounty.”

Related: Attackers loot $5M from Osmosis in LP exploit, $2M returned soon after

In total, the attackers gained 99,976 USDT and 53.2 wBTC from the attack, swapping them to ETH before sending it all through the cryptocurrency mixer Tornado Cash, attempting to obfuscate the ill-gotten gains.

The previous attack in April saw attackers make off with $15.6 million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA.

DeFi marketplace Deus Finance suffered from a similar exploit in March, with attackers manipulating a price pairing within an oracle leading to a gain of 200,000 Dai (DAI) and 1101.8 ETH, worth over $3 million at the time.

Beanstalk Farms, a credit-based stablecoin protocol, lost all $182 million worth of collateral in a flash loan attack caused by two malicious governance proposals, which in the end, drained all funds from the protocol.

How the latest attack went down

Blockchain security firm BlockSec analyzed that the attacker borrowed 27,000 wBTC in a flash loan, swapping a small amount to the LP token used to post collateral in Inverse Finance so users can borrow crypto assets.

The remaining wBTC was swapped to USDT, causing the price of the attacker’s collateralized LP token to rise significantly in the eyes of the price oracle. With the value of these LP tokens now worth far more due to the price rise, the attacker borrowed a larger amount than usual of the DOLA stablecoin.

The value of the DOLA was worth much more than the deposited collateral, so the attacker swapped the DOLA to USDT, and the earlier wBTC to USDT swap was reversed to repay the original flash loan.

[ad_2]

Source link

PrepTeam

Share
Published by
PrepTeam

Recent Posts

Dear Diary, It’s Me, Jessica: Part 16

[ad_1] If you're new here, you may want to subscribe to my RSS feed. Thanks…

3 months ago

Google Faces Lawsuit After $5M in Crypto Stolen via Play Store App

[ad_1] A Florida woman, Maria Vaca, has sued Google in a California state court, alleging…

3 months ago

All About Water Purification: A Complete Tutorial

[ad_1] You may need to purify water to make it safe to drink. The process…

3 months ago

Protocol Village: Quai Releases Mainnet-Compatible Devnet, Crunch Lab Raises $3.5M

[ad_1] The latest in blockchain tech upgrades, funding announcements and deals. For the period of…

3 months ago

The Grim New Daily Life in Venezuela

[ad_1] If you're new here, you may want to subscribe to my RSS feed. Thanks…

3 months ago

World’s 3rd largest public pension fund buys $34M MicroStrategy shares

[ad_1] The third-largest public pension fund in the world has just bought nearly $34 million…

3 months ago