Inverse Finance Second Price Oracle Exploit: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/inversefinancesecondpriceoracleexploit.php}} {{Unattributed Sources}} thumb|Inverse FinanceInverse Finance, a decentralized lending protocol, experienced its second hack of the year through price oracle manipulation. The attacker made a profit of $1.26 million in BTC and USDT by exploiting imbalances in assets to calculate LP token prices. The attacker used a flash loan...")
 
(Another 30 minutes complete. All sources merged in. Prevention added. Information relocated around.)
 
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/inversefinancesecondpriceoracleexploit.php}}
{{Case Study Under Construction}}[[File:Inversefinance.jpg|thumb|Inverse Finance]]Inverse Finance, a decentralized lending protocol, experienced its second hack of the year through price oracle manipulation. The attacker made a profit of $1.26 million in BTC and USDT by exploiting imbalances in assets to calculate LP token prices. The attacker used a flash loan to manipulate pool reserves and quickly sold the stolen funds via Uniswap, laundering them through Tornado Cash. The protocol temporarily halted borrowing services and removed its stablecoin DOLA from its money market, reassuring users that no funds were taken or at risk.
{{Unattributed Sources}}
 
[[File:Inversefinance.jpg|thumb|Inverse Finance]]Inverse Finance, a decentralized lending protocol, experienced its second hack of the year through price oracle manipulation. The attacker made a profit of $1.26 million in BTC and USDT by exploiting imbalances in assets to calculate LP token prices. The attacker used a flash loan to manipulate pool reserves and quickly sold the stolen funds via Uniswap, laundering them through Tornado Cash. The protocol temporarily halted borrowing services and removed its stablecoin DOLA from its money market, reassuring users that no funds were taken or at risk.
 
This is a global/international case not involving a specific country.<ref name="vauldofficialtwitter-11608" /><ref name="vauld-11609" /><ref name="peckshieldtwitter-11610" /><ref name="etherscan-11611" /><ref name="inversefinancetwitter-11612" /><ref name="inversefinance-11613" /><ref name="inversefinancedocs-11614" />


== About Inverse Finance ==
== About Inverse Finance ==
"DOLA Borrowing Rights replace interest rates with a fixed fee that can earn you more."
Inverse Finance is a DeFi platform which describes itself as "a decentralized autonomous organization that develops and manages the FiRM fixed rate lending protocol and DOLA, a debt-backed decentralized stablecoin"<ref name="inversefinancedocs-11614" />. Inverse Finance is responsible for developing and managing the FiRM fixed-rate lending protocol, the DOLA decentralized stablecoin, and the DBR DeFi primitive<ref name="inversefinancedocs-11614" />. They offer fixed-rate borrowing (DOLA Borrowing Rights), earning returns through liquidity provision, and staking INV for DBR yield<ref name="inversefinancedocs-11614" /><ref name="inversefinance-11613" />.


"Inverse Finance is a decentralized autonomous organization that develops and manages the FiRM fixed rate lending protocol and DOLA, a debt-backed decentralized stablecoin. Originally founded by Nour Haridy in late 2020, the protocol is now governed by Inverse Finance DAO, a collective of crypto enthusiasts. Our code base is open source and maintained by the community."
The protocol was originally founded by Nour Haridy in late 2020 but is now governed by the Inverse Finance DAO, a collective of crypto enthusiasts<ref name="inversefinancedocs-11614" />. Their code base is open source and community-maintained<ref name="inversefinancedocs-11614" />.


"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."
The Inverse Finance homepage emphasizes their security measures, transparency, and governance model<ref name="inversefinance-11613" />. It provides statistics on token circulation, 24-hour volume, and total value locked<ref name="inversefinance-11613" />. Additionally, it mentions their involvement in the Curve ecosystem and encourages community participation<ref name="inversefinance-11613" />. It mentions the prices of their tokens (DOLA, DBR, INV)<ref name="inversefinance-11613" />.


"[T]he hacker misused the balances of assets in the pool to directly calculate the LP token price, further altering the reserves in the pool and facilitating a flash loan attack. The attacker quickly sold the stolen funds via Uniswap, further putting them through Tornado cash.
INV token holders have voting power in the on-chain governance system called Governor Mills. The DAO has created Working Groups with discretionary budgets for agility. Inverse Finance aims to secure the availability of synthetic assets, particularly decentralized stablecoins, while prioritizing decentralization, transparency, sustainable growth, and member control<ref name="inversefinancedocs-11614" />.


The protocol’s official Twitter handle acknowledged the exploit and announced that they are temporarily halting the borrowing services because of the hack. Inverse Finance said its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The DeFi platform tweeted — “We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon”."
Their vision is to empower everyone with an internet connection through decentralized stablecoins<ref name="inversefinancedocs-11614" />. Whether you're experienced in DeFi or new to crypto, their Gitbook provides a comprehensive understanding of Inverse Finance's offerings<ref name="inversefinancedocs-11614" />.


"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."
== The Reality ==


"The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool."


"Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are  investigating and will provide more details soon."
The Ethereum-based lending protocol Inverse Finance has experienced its second hack this year. In this attack, the hacker exploited a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT.<ref name="vauld-11609" />


"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently  68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. The stolen funds were quickly sold on Uniswap and passed through Tornado Cash for anonymity.<ref name="vauld-11609" />


This is a global/international case not involving a specific country.
Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The protocol assured users that no user funds were taken or at risk and that an investigation was underway.<ref name="vauld-11609" />


The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack.<ref name="vauld-11609" />


Include:
This is the second significant exploit for Inverse Finance this year, following a $15.6 million loss in April due to a price manipulation attack. During that incident, the protocol offered a reward for the return of the stolen funds, but this time, they have not made a similar offer.<ref name="vauld-11609" />


* Known history of when and how the service was started.
DeFi protocols and Discord servers have been increasingly targeted by exploits in 2022, raising concerns about security in the crypto industry alongside liquidation issues due to the ongoing bear market.<ref name="vauld-11609" />
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.


Don't Include:
== What Happened ==
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:


* When the service was actually started (if different than the "official story").
"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."<ref name="peckshieldtwitter-11610" />
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - Inverse Finance Second Price Oracle Exploit
|+Key Event Timeline - Inverse Finance Second Price Oracle Exploit
Line 66: Line 45:
|June 16th, 2022 3:51:00 AM MDT
|June 16th, 2022 3:51:00 AM MDT
|Inverse Finance Tweet
|Inverse Finance Tweet
|Inverse Finance acknowledges the attack on Twitter.
|Inverse Finance acknowledges the attack on Twitter<ref name="inversefinancetwitter-11612" />. They report that they have temporarily paused borrowing.
|-
|-
|June 16th, 2022 4:33:00 AM MDT
|June 16th, 2022 4:33:00 AM MDT
|PeckShield Summary
|PeckShield Summary
|PeckShield shares a summary of the attack.
|PeckShield shares a summary of the attack on Twitter<ref name="peckshieldtwitter-11610" />.
|-
|June 16th, 2022 6:53:28 AM MDT
|Vault Insights Article
|Vault Insights reports on the attack, a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT. The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack. A previous significant exploit for Inverse Finance of $15.6 million in April is also referenced<ref name="vauld-11609" /><ref name="vauldofficialtwitter-11608" />.
|}
|}


== Technical Details ==
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
 
 
Hacking Transaction: <ref name="etherscan-11611" />
 
Exploiter Wallet: <ref name=":1">[https://etherscan.io/address/0x7b792e49f640676b3706d666075e903b3a4deec6 Inverse Finance Exploiter - Etherscan] (Sep 1, 2023)</ref>
 
"[T]he hacker misused the balances of assets in the pool to directly calculate the LP token price, further altering the reserves in the pool and facilitating a flash loan attack. The attacker quickly sold the stolen funds via Uniswap, further putting them through Tornado cash.
 
"The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool."
 
=== Movement Of Obtained Funds ===
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently  68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
 
=== Analysis From Peckshield ===
<ref name="peckshieldtwitter-11610" /><ref name=":1">[https://etherscan.io/address/0x7b792e49f640676b3706d666075e903b3a4deec6 Inverse Finance Exploiter - Etherscan] (Sep 1, 2023)</ref><blockquote>@InverseFinance was exploited in <ref name="etherscan-11611" />, leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).
 
2/ To illustrate, we use the above tx and show the key steps below
 
3/ The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool.
 
4/ The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently  68 ETHs of the illicit gains still stay in the hacker’s account <nowiki>https://etherscan.io/address/0x7b792e49f640676b3706d666075e903b3a4deec6……</nowiki> and 1000 ETHs  have been deposited  to
 
@TornadoCash</blockquote>


== Total Amount Lost ==
== Total Amount Lost ==
"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."
"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."
The total amount lost has been estimated at $1,260,000 USD.
The total amount lost has been estimated at $1,260,000 USD.


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
== Immediate Reactions ==


== Immediate Reactions ==
 
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
The protocol’s official Twitter handle acknowledged the exploit and announced that they are temporarily halting the borrowing services because of the hack. Inverse Finance said its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The DeFi platform tweeted — “We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon”."
 
"Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are  investigating and will provide more details soon."<ref name="inversefinancetwitter-11612" />


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
The Inverse Finance protocol ultimately implemented multiple policies to help secure the protocol. The importance of security was ultimately emphasized on an updated Inverse Finance website<ref name="inversefinance-116132">[https://www.inverse.finance/ Inverse Finance Homepage] (Aug 25, 2023)</ref><ref>[https://web.archive.org/web/20220313221401/https://www.inverse.finance/ Inverse Finance Homepage Archive March 13th, 2022 4:14:01 PM MDT] (Sep 1, 2023)</ref>.<blockquote>"We know the importance of security, especially for new lending protocols. Read our audit reports or work with us as we expand our third party security efforts."</blockquote>
 
=== Code4Rena Bug Bounty Contest ===
<ref>[https://web.archive.org/web/20230330071157/https://docs.inverse.finance/inverse-finance/technical/audits Inverse Finance Docs - Audits] (Sep 1, 2023)</ref><ref name=":0">https://docs.inverse.finance/inverse-finance/technical/audits (Sep 1, 2023)</ref>
 
=== Nomoi Web3 Hacker Collective ===
<ref name=":0" />
 
=== DefiMoon Boutique Auditing Firm ===
<ref name=":0" />


=== Inverse Finance Peckshield Audits ===
<ref name=":0" /><ref>[https://drive.google.com/file/d/1LWNG08mib2GcI1WqnMt5IdFoW73QU2F8/view Inverse Finance Audit By Peckshield] (Sep 1, 2023)</ref>
== Total Amount Recovered ==
== Total Amount Recovered ==
The total amount recovered is unknown.
The total amount recovered is unknown.


What funds were recovered? What funds were reimbursed for those affected users?
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently  68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"


== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently  68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
== Individual Prevention Policies ==
== Individual Prevention Policies==
{{Prevention:Individuals:Placeholder}}
The Inverse Finance smart contract did not have any smart contract audit performed prior to the attacks. Users need to be extremely cautious when evaluating projects which haven't been audited.
 
{{Prevention:Individuals:Safe Smart Contract Usage}}
 
{{Prevention:Individuals:Store Funds Offline}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}
==Platform Prevention Policies==
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.


== Platform Prevention Policies ==
{{Prevention:Platforms:Regular Audit Procedures}}
{{Prevention:Platforms:Placeholder}}
 
{{Prevention:Platforms:Establish Industry Insurance Fund}}


{{Prevention:Platforms:End}}
{{Prevention:Platforms:End}}
== Regulatory Prevention Policies==
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.


== Regulatory Prevention Policies ==
{{Prevention:Regulators:Platform Security Assessments}}
{{Prevention:Regulators:Placeholder}}
 
{{Prevention:Regulators:Cryptocurrency Education Mandate}}
 
{{Prevention:Regulators:Establish Industry Insurance Fund}}


{{Prevention:Regulators:End}}
{{Prevention:Regulators:End}}


== References ==
== References ==
<references><ref name="vauldofficialtwitter-11608">[https://twitter.com/VauldOfficial/status/1537427781574725635 @VauldOfficial Twitter] (Oct 19, 2022)</ref>
<references>
 
<ref name="vauldofficialtwitter-11608">[https://twitter.com/VauldOfficial/status/1537427781574725635 Vauld Official - "DeFi Hack: Inverse Finance Exploited For The Second Time This Year" - Twitter] (Oct 19, 2022)</ref>
<ref name="vauld-11609">[https://www.vauld.com/insights/defi-hack-inverse-finance-exploited-for-the-second-time-this-year/ DeFi Hack: Inverse Finance Exploited For The Second Time This Year   - Vauld Insights] (Aug 25, 2023)</ref>
<ref name="vauld-11609">[https://www.vauld.com/insights/defi-hack-inverse-finance-exploited-for-the-second-time-this-year/ DeFi Hack: Inverse Finance Exploited For The Second Time This Year   - Vauld Insights] (Aug 25, 2023)</ref>
 
<ref name="peckshieldtwitter-11610">[https://twitter.com/peckshield/status/1537382891230883841 <nowiki>Peckshield - "@InverseFinance was exploited in [a transaction], leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)." - Twitter</nowiki>] (Aug 25, 2023)</ref>
<ref name="peckshieldtwitter-11610">[https://twitter.com/peckshield/status/1537382891230883841 @peckshield Twitter] (Aug 25, 2023)</ref>
 
<ref name="etherscan-11611">[https://etherscan.io/tx/0x958236266991bc3fe3b77feaacea120f172c0708ad01c7a715b255f218f9313c Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug 25, 2023)</ref>
<ref name="etherscan-11611">[https://etherscan.io/tx/0x958236266991bc3fe3b77feaacea120f172c0708ad01c7a715b255f218f9313c Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug 25, 2023)</ref>
 
<ref name="inversefinancetwitter-11612">[https://twitter.com/InverseFinance/status/1537372199769845760 Inverse Finance - "Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are  investigating and will provide more details soon." - Twitter] (Aug 25, 2023)</ref>
<ref name="inversefinancetwitter-11612">[https://twitter.com/InverseFinance/status/1537372199769845760 @InverseFinance Twitter] (Aug 25, 2023)</ref>
<ref name="inversefinance-11613">[https://www.inverse.finance/ Inverse Finance Homepage] (Aug 25, 2023)</ref>
 
<ref name="inversefinancedocs-11614">[https://docs.inverse.finance/inverse-finance/inverse-finance/introduction Introduction - Inverse Finance] (Aug 25, 2023)</ref>
<ref name="inversefinance-11613">[https://www.inverse.finance/ Inverse Finance] (Aug 25, 2023)</ref>
</references>
 
<ref name="inversefinancedocs-11614">[https://docs.inverse.finance/inverse-finance/inverse-finance/introduction Introduction - Inverse Finance] (Aug 25, 2023)</ref></references>

Latest revision as of 12:50, 1 September 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Inverse Finance

Inverse Finance, a decentralized lending protocol, experienced its second hack of the year through price oracle manipulation. The attacker made a profit of $1.26 million in BTC and USDT by exploiting imbalances in assets to calculate LP token prices. The attacker used a flash loan to manipulate pool reserves and quickly sold the stolen funds via Uniswap, laundering them through Tornado Cash. The protocol temporarily halted borrowing services and removed its stablecoin DOLA from its money market, reassuring users that no funds were taken or at risk.

About Inverse Finance

Inverse Finance is a DeFi platform which describes itself as "a decentralized autonomous organization that develops and manages the FiRM fixed rate lending protocol and DOLA, a debt-backed decentralized stablecoin"[1]. Inverse Finance is responsible for developing and managing the FiRM fixed-rate lending protocol, the DOLA decentralized stablecoin, and the DBR DeFi primitive[1]. They offer fixed-rate borrowing (DOLA Borrowing Rights), earning returns through liquidity provision, and staking INV for DBR yield[1][2].

The protocol was originally founded by Nour Haridy in late 2020 but is now governed by the Inverse Finance DAO, a collective of crypto enthusiasts[1]. Their code base is open source and community-maintained[1].

The Inverse Finance homepage emphasizes their security measures, transparency, and governance model[2]. It provides statistics on token circulation, 24-hour volume, and total value locked[2]. Additionally, it mentions their involvement in the Curve ecosystem and encourages community participation[2]. It mentions the prices of their tokens (DOLA, DBR, INV)[2].

INV token holders have voting power in the on-chain governance system called Governor Mills. The DAO has created Working Groups with discretionary budgets for agility. Inverse Finance aims to secure the availability of synthetic assets, particularly decentralized stablecoins, while prioritizing decentralization, transparency, sustainable growth, and member control[1].

Their vision is to empower everyone with an internet connection through decentralized stablecoins[1]. Whether you're experienced in DeFi or new to crypto, their Gitbook provides a comprehensive understanding of Inverse Finance's offerings[1].

The Reality

The Ethereum-based lending protocol Inverse Finance has experienced its second hack this year. In this attack, the hacker exploited a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT.[3]

The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. The stolen funds were quickly sold on Uniswap and passed through Tornado Cash for anonymity.[3]

Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The protocol assured users that no user funds were taken or at risk and that an investigation was underway.[3]

Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack.[3]

This is the second significant exploit for Inverse Finance this year, following a $15.6 million loss in April due to a price manipulation attack. During that incident, the protocol offered a reward for the return of the stolen funds, but this time, they have not made a similar offer.[3]

DeFi protocols and Discord servers have been increasingly targeted by exploits in 2022, raising concerns about security in the crypto industry alongside liquidation issues due to the ongoing bear market.[3]

What Happened

"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."

"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."[4]

Key Event Timeline - Inverse Finance Second Price Oracle Exploit
Date Event Description
June 16th, 2022 2:47:58 AM MDT Blockchain Transaction The blockchain exploit transaction.
June 16th, 2022 3:51:00 AM MDT Inverse Finance Tweet Inverse Finance acknowledges the attack on Twitter[5]. They report that they have temporarily paused borrowing.
June 16th, 2022 4:33:00 AM MDT PeckShield Summary PeckShield shares a summary of the attack on Twitter[4].
June 16th, 2022 6:53:28 AM MDT Vault Insights Article Vault Insights reports on the attack, a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT. The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack. A previous significant exploit for Inverse Finance of $15.6 million in April is also referenced[3][6].

Technical Details

Hacking Transaction: [7]

Exploiter Wallet: [8]

"[T]he hacker misused the balances of assets in the pool to directly calculate the LP token price, further altering the reserves in the pool and facilitating a flash loan attack. The attacker quickly sold the stolen funds via Uniswap, further putting them through Tornado cash.

"The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool."

Movement Of Obtained Funds

"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"

Analysis From Peckshield

[4][8]

@InverseFinance was exploited in [7], leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).

2/ To illustrate, we use the above tx and show the key steps below

3/ The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool.

4/ The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account https://etherscan.io/address/0x7b792e49f640676b3706d666075e903b3a4deec6…… and 1000 ETHs have been deposited to

@TornadoCash

Total Amount Lost

"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."

"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."

The total amount lost has been estimated at $1,260,000 USD.

Immediate Reactions

The protocol’s official Twitter handle acknowledged the exploit and announced that they are temporarily halting the borrowing services because of the hack. Inverse Finance said its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The DeFi platform tweeted — “We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon”."

"Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon."[5]

Ultimate Outcome

The Inverse Finance protocol ultimately implemented multiple policies to help secure the protocol. The importance of security was ultimately emphasized on an updated Inverse Finance website[9][10].

"We know the importance of security, especially for new lending protocols. Read our audit reports or work with us as we expand our third party security efforts."

Code4Rena Bug Bounty Contest

[11][12]

Nomoi Web3 Hacker Collective

[12]

DefiMoon Boutique Auditing Firm

[12]

Inverse Finance Peckshield Audits

[12][13]

Total Amount Recovered

The total amount recovered is unknown.

"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"

Ongoing Developments

"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"

Individual Prevention Policies

The Inverse Finance smart contract did not have any smart contract audit performed prior to the attacks. Users need to be extremely cautious when evaluating projects which haven't been audited.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Introduction - Inverse Finance (Aug 25, 2023)
  2. 2.0 2.1 2.2 2.3 2.4 Inverse Finance Homepage (Aug 25, 2023)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 DeFi Hack: Inverse Finance Exploited For The Second Time This Year   - Vauld Insights (Aug 25, 2023)
  4. 4.0 4.1 4.2 Peckshield - "@InverseFinance was exploited in [a transaction], leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)." - Twitter (Aug 25, 2023)
  5. 5.0 5.1 Inverse Finance - "Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon." - Twitter (Aug 25, 2023)
  6. Vauld Official - "DeFi Hack: Inverse Finance Exploited For The Second Time This Year" - Twitter (Oct 19, 2022)
  7. 7.0 7.1 Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 25, 2023)
  8. 8.0 8.1 Inverse Finance Exploiter - Etherscan (Sep 1, 2023)
  9. Inverse Finance Homepage (Aug 25, 2023)
  10. Inverse Finance Homepage Archive March 13th, 2022 4:14:01 PM MDT (Sep 1, 2023)
  11. Inverse Finance Docs - Audits (Sep 1, 2023)
  12. 12.0 12.1 12.2 12.3 https://docs.inverse.finance/inverse-finance/technical/audits (Sep 1, 2023)
  13. Inverse Finance Audit By Peckshield (Sep 1, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Inverse_Finance_Second_Price_Oracle_Exploit&oldid=4963"