Inverse Finance First Price Oracle Exploit
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Inverse Finance, a decentralized organization, experienced a hack through price manipulation of its INV/ETH price oracle on Sushiswap. The attacker manipulated the oracle, leading to a rise in the price of INV tokens, allowing them to borrow $15.6 million worth of DOLA, ETH, WBTC, and YFI. Inverse Finance paused future borrows on its money market, Anchor. This incident follows a similar exploit in April that resulted in a $15.6 million loss for the protocol. The organization plans to propose a repayment plan to its governance and is encouraging the attacker to return the funds in exchange for a bounty.
About Inverse Finance
Inverse Finance is a DeFi platform which describes itself as "a decentralized autonomous organization that develops and manages the FiRM fixed rate lending protocol and DOLA, a debt-backed decentralized stablecoin"[1]. Inverse Finance is responsible for developing and managing the FiRM fixed-rate lending protocol, the DOLA decentralized stablecoin, and the DBR DeFi primitive[1]. They offer fixed-rate borrowing (DOLA Borrowing Rights), earning returns through liquidity provision, and staking INV for DBR yield[1][2].
The protocol was originally founded by Nour Haridy in late 2020 but is now governed by the Inverse Finance DAO, a collective of crypto enthusiasts[1]. Their code base is open source and community-maintained[1].
The Inverse Finance homepage emphasizes their security measures, transparency, and governance model[2]. It provides statistics on token circulation, 24-hour volume, and total value locked[2]. Additionally, it mentions their involvement in the Curve ecosystem and encourages community participation[2]. It mentions the prices of their tokens (DOLA, DBR, INV)[2].
INV token holders have voting power in the on-chain governance system called Governor Mills. The DAO has created Working Groups with discretionary budgets for agility. Inverse Finance aims to secure the availability of synthetic assets, particularly decentralized stablecoins, while prioritizing decentralization, transparency, sustainable growth, and member control[1].
Their vision is to empower everyone with an internet connection through decentralized stablecoins[1]. Whether you're experienced in DeFi or new to crypto, their Gitbook provides a comprehensive understanding of Inverse Finance's offerings[1][3].
Here at Inverse, we're decentralized by design, moving past reckless, outdated systems towards a better solution: Positive Sum Defi. We help you maximize your earnings via revenue sharing, accumulate high yields with sustainable APYs, and benefit from low-cost stable coin borrowing. Join our community to grow and thrive.
The Reality
Inverse Finance did not have any smart contract audit at the time of the exploit. Vulnerabilities are common in unaudited smart contracts.
What Happened
"the protocol fell prey to its first price manipulation hack and lost $15.6 million in DOLA, ETH, WBTC, and YFI."[4]
"This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, & YFI"[5]
| Date | Event | Description |
|---|---|---|
| April 2nd, 2022 9:44:00 AM MDT | Inverse Finance Tweet | Inverse Finance posts about the incident on Twitter[5]. |
| June 16th, 2022 6:53:28 AM MDT | Vault Insights Article | The attack is again referenced in an article by Vauld Insights, in relation to a second oracle exploit on the protocol[4]. |
Technical Details
"This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, & YFI"
"The manipulation was not a flash loan attack and was un-related to Inverse's smart contract or front end code. All future borrows on Anchor are temporarily paused."[5]
Total Amount Lost
The total amount lost has been estimated at $15,500,000 USD.
Immediate Reactions
Inverse Finance shared details of the attack on Twitter.
Inverse Finance Twitter Post
"the lending protocol took to Twitter, explaining the attack and noted that the attacker used “capital-intensive manipulation of the INV/ETH price oracle on Sushiswap.” This further resulted in “a sharp rise in the price of INV, which subsequently enabled the attacker to borrow $15.6 million”. However, unlike the latest tweet from the protocol, last time they had offered “a generous bounty in exchange for returning the borrowed funds”."
"The manipulation was not a flash loan attack and was un-related to Inverse's smart contract or front end code. All future borrows on Anchor are temporarily paused."
Ultimate Outcome
The Inverse Finance protocol implemented multiple policies to help repay affected users. The protocol suffered another attack later in June 2022. After that, further effort was made to secure the protocol through both bug bounties and smart contract auditing.
Repayment Of Wallets
"The plan to be proposed to governance is to ensure all wallets impacted by the price manipulation are repaid 100%. We have multiple avenues for accomplishing this and will provide updates as the DAO discusses our options."
Negotiations With Attacker
"The person or persons behind the price manipulation are encouraged to reach out via Twitter DM or Discord and discuss a generous bounty in exchange for returning the borrowed funds."
Subsequent Repeat Hack
The Inverse Finance protocol was hacked again in June 2022, after which they implemented multiple policies to help secure the protocol.
The importance of security was ultimately emphasized on the updated Inverse Finance website[2][3].
"We know the importance of security, especially for new lending protocols. Read our audit reports or work with us as we expand our third party security efforts."
Code4Rena Bug Bounty Contest
Nomoi Web3 Hacker Collective
DefiMoon Boutique Auditing Firm
Inverse Finance Peckshield Audits
Total Amount Recovered
The Inverse Finance protocol reported that they plan to repay affected users 100%.
TBD - Was anything repaid? Were any funds recovered?
Ongoing Developments
TBD
Individual Prevention Policies
The Inverse Finance smart contract did not have any smart contract audit performed prior to the attacks. Users need to be extremely cautious when evaluating projects which haven't been audited.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Introduction - Inverse Finance (Aug 25, 2023)
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 Inverse Finance Homepage (Aug 25, 2023)
- ↑ 3.0 3.1 Inverse Finance Homepage Archive March 13th, 2022 4:14:01 PM MDT (Sep 1, 2023)
- ↑ 4.0 4.1 DeFi Hack: Inverse Finance Exploited For The Second Time This Year - Vauld Insights (Aug 25, 2023)
- ↑ 5.0 5.1 5.2 5.3 Inverse Finance - "This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, & YFI" - Twitter (Aug 25, 2023)
- ↑ Inverse Finance Docs - Audits (Sep 1, 2023)
- ↑ 7.0 7.1 7.2 7.3 https://docs.inverse.finance/inverse-finance/technical/audits (Sep 1, 2023)
- ↑ Inverse Finance Audit By Peckshield (Sep 1, 2023)