A blockchain analyst firm, Peckshield, highlighted a hack performed on the decentralized lending platform Inverse Finance. The analyst firm claimed that the perpetrator fled away with nearly $15.6 Million worth of crypto.
As per the thread from Inverse Finance, its money market Anchor was compromised in the cyberattack. The attacker successfully manipulated the price of INV tokens by accessing Oracle on a decentralized exchange Sushiswap.
The protocol ensured that its smart contract and front-end code were safe. To prevent further attacks, the borrowing service on Anchor has been suspended temporarily.
The bug exploitation enabled the oracle to consider INV tokens prices to an exceptionally high and borrow a million worth of loans on Anchor through inflated INV as collateral.
The attacker used Tornado Cash to drain the fund from the protocol. In the first attempt, he withdrew 901 ETH from Tornado Cash to pay back the loan. By manipulating the oracle price of INV in the Keep3r price oracle, the attacker settled down the stolen fund through numerous trading pairs on the decentralized exchange SushiSwap.
All in all, the attacker got the success to run away with 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA. To scatter funds on the decentralized network, the attacker used Tornado Cash. Although, around 73.5 ETH are still present in the attacker’s Ethereum wallet.
Inverse Finance announced a reimbursement for the affected users who lost their funds in the attack while maintaining the current INV supply. The firm stated that “We have multiple avenues for accomplishing this and will provide updates as the DAO discusses our options”.
Also, the compensation will provide a safeguard to DOLA’s USD peg under the DOLA Fed monetary policy.
Inverse Finance also offered a bug bounty to the attacker in return for stolen funds. To discuss with the community, Inverse Finance also hosted a Twitter space event on April 2, 2022.
This was the third major cyber attack on decentralized finance protocols in the same week. Before this, another lending protocol Ola Finance’s deployment on the Fuse Network exploited in the re-entrancy attack, which led to $3.6 million worth of token loss.