Key Takeaways:
- Inverse Finance is currently investigating this attack, and they have lost around $15.6M in the form of 1588 ETH, 94 WBTC, 4M DOLA, and 39.3 YFI
Inverse Finance is a suite of permissionless decentralized finance tools governed by Inverse DAO, a decentralized autonomous organization running on the Ethereum blockchain. The main Inverse Finance products are Anchor and DOLA stablecoin.
Details of the Inverse Finance Hack
So around 4:52 PM IST Peckshield tweeted about this attack with the link of attacker’s transaction.
Firstly, the attacker withdrew 901 ETH from Tornado Cash. Then they transferred around 1.5 ETH to 241 clean addresses via Disperse and deployed five different smart contracts, out of which only one was real.
The attacker then swapped 500 ETH to 1.7k INV so that it went through the INV-WETH pair on SushiSwap, significantly changing the price due to low liquidity, i.e., 50x.
At the same time, the attacker started spamming transactions with an exploit to be the first to get into the next block and get an inflated price from SushiSwap. Attackers used multiple addresses and additional contracts to confuse generalized bots, which could front-run the attacker.
This hack is made possible due to the price oracle manipulation bug so that when the INV (with highly manipulated price) is used as collateral to drain assets from InverseFinance.
The attacker deposited his 1.7k INV (fair price – $644k) as collateral and borrowed $15.6M.
Meanwhile, Inverse Finance Team has tweeted that, we are currently addressing the situation please wait for an official announcement. As of now, i.e., 6:10 PM IST 73.5 ETH are still in the hacker’s account. As a result of this attack price of its native token is down by 15%.
