Hackers withdrew $1,26 million from Inverse Finance

What’s new? On June 16, Inverse Finance, a lending protocol, was hacked a second time. Attackers managed to withdraw $1,26 million, but the project could have lost more, according to analytics firm PeckShield. Inverse Finance developers confirmed the information about the hack and temporarily disabled the lending function to prevent further loss of funds. The team stressed that users’ assets were not affected during the incident.

1/ @InverseFinance was exploited in https://t.co/OaCemQfWug,leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).— PeckShield Inc. (@peckshield) June 16, 2022

Details of the hack. According to experts, the hack was made possible by a flash loan to manipulate the price oracle for an LP token of the Inverse Finance.

An LP (liquidity pool) token is issued to users of a crypto platform after depositing a liquidity pool. The larger the amount a customer provides to the platform, the more LP tokens they receive.

Through the exploit, hackers borrowed a significantly larger amount of the Inverse Finance protocol’s stablecoins, Dola (DOLA), than the amount deposited collateral. From the protocol, they withdrew assets in Tether (USDT) and Wrapped Bitcoin (WBTC). In total, the attackers managed to get $99 976 and 53,2 WBTC by exchanging them for ETH before sending all the stolen funds through the Tornado Cash transaction mixer.

Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon.— Inverse+ (@InverseFinance) June 16, 2022

Inverse Finance is a DeFi protocol based on the Ethereum blockchain. It has a fully collateralized multi-chain stablecoin DOLA and the governance token INV, which is used for staking payments.

On April 2, hackers withdrew $15,6 million from Inverse Finance. The attackers managed to commit an exploit by manipulating the price oracle of the INV/ETH pair on the SushiSwap exchange.