Inverse Finance exploited again for $1.2M in flash loan oracle attack

Just two months after losing $15.6 million in a price oracle manipulation exploit, Inverse Finance has again been hit with a flash loan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC).

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol and a flash loan is a type of crypto loan that is usually borrowed and returned within a single transaction. Oracles report outside pricing information.

The latest exploit worked by using a flash loan to manipulate the price oracle for a liquidity provider (LP) token used by the protocol’s money market application. This allowed the attacker to borrow a larger amount of the protocol’s stablecoin, Dola (DOLA), than the amount of collateral they posted, letting them pocket the difference.

The attack comes just over two months after a similar April 2 exploit, which saw attackers artificially manipulate collateralized token prices through a price oracle to drain funds using the inflated prices.

In response to the attack, Inverse Finance temporarily paused borrowing and removed DOLA from the money market while it investigated the incident, saying no user funds were at risk.

It later confirmed that only the attacker’s deposited collateral was affected in the incident and only incurred a debt to itself due to the stolen DOLA. It encouraged the attacker to return the funds in return for a “generous bounty.”

Related: Attackers loot $5M from Osmosis in LP exploit, $2M returned soon after

In total, the attackers gained 99,976 USDT and 53.2 wBTC from the attack, swapping them to ETH before sending it all through the cryptocurrency mixer Tornado Cash, attempting to obfuscate the ill-gotten gains.

The previous attack in April saw attackers make off with $15.6 million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA.

DeFi marketplace Deus Finance suffered from a similar exploit in March, with attackers manipulating a price pairing within an oracle leading to a gain of 200,000 Dai (DAI) and 1101.8 ETH, worth over $3 million at the time.

Beanstalk Farms, a credit-based stablecoin protocol, lost all $182 million worth of collateral in a flash loan attack caused by two malicious governance proposals, which in the end, drained all funds from the protocol.

How the latest attack went down

Blockchain security firm BlockSec analyzed that the attacker borrowed 27,000 wBTC in a flash loan, swapping a small amount to the LP token used to post collateral in Inverse Finance so users can borrow crypto assets.

The remaining wBTC was swapped to USDT, causing the price of the attacker’s collateralized LP token to rise significantly in the eyes of the price oracle. With the value of these LP tokens now worth far more due to the price rise, the attacker borrowed a larger amount than usual of the DOLA stablecoin.

The value of the DOLA was worth much more than the deposited collateral, so the attacker swapped the DOLA to USDT, and the earlier wBTC to USDT swap was reversed to repay the original flash loan.