Inverse Finance Second Price Oracle Exploit
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Inverse Finance, a decentralized lending protocol, experienced its second hack of the year through price oracle manipulation. The attacker made a profit of $1.26 million in BTC and USDT by exploiting imbalances in assets to calculate LP token prices. The attacker used a flash loan to manipulate pool reserves and quickly sold the stolen funds via Uniswap, laundering them through Tornado Cash. The protocol temporarily halted borrowing services and removed its stablecoin DOLA from its money market, reassuring users that no funds were taken or at risk.
About Inverse Finance
Inverse Finance is a DeFi platform which describes itself as "a decentralized autonomous organization that develops and manages the FiRM fixed rate lending protocol and DOLA, a debt-backed decentralized stablecoin"[1]. Inverse Finance is responsible for developing and managing the FiRM fixed-rate lending protocol, the DOLA decentralized stablecoin, and the DBR DeFi primitive[1]. They offer fixed-rate borrowing (DOLA Borrowing Rights), earning returns through liquidity provision, and staking INV for DBR yield[1][2].
The protocol was originally founded by Nour Haridy in late 2020 but is now governed by the Inverse Finance DAO, a collective of crypto enthusiasts[1]. Their code base is open source and community-maintained[1].
The Inverse Finance homepage emphasizes their security measures, transparency, and governance model[2]. It provides statistics on token circulation, 24-hour volume, and total value locked[2]. Additionally, it mentions their involvement in the Curve ecosystem and encourages community participation[2]. It mentions the prices of their tokens (DOLA, DBR, INV)[2].
INV token holders have voting power in the on-chain governance system called Governor Mills. The DAO has created Working Groups with discretionary budgets for agility. Inverse Finance aims to secure the availability of synthetic assets, particularly decentralized stablecoins, while prioritizing decentralization, transparency, sustainable growth, and member control[1].
Their vision is to empower everyone with an internet connection through decentralized stablecoins[1]. Whether you're experienced in DeFi or new to crypto, their Gitbook provides a comprehensive understanding of Inverse Finance's offerings[1].
The Reality
The Ethereum-based lending protocol Inverse Finance has experienced its second hack this year. In this attack, the hacker exploited a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT.[3]
The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. The stolen funds were quickly sold on Uniswap and passed through Tornado Cash for anonymity.[3]
Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The protocol assured users that no user funds were taken or at risk and that an investigation was underway.[3]
Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack.[3]
This is the second significant exploit for Inverse Finance this year, following a $15.6 million loss in April due to a price manipulation attack. During that incident, the protocol offered a reward for the return of the stolen funds, but this time, they have not made a similar offer.[3]
DeFi protocols and Discord servers have been increasingly targeted by exploits in 2022, raising concerns about security in the crypto industry alongside liquidation issues due to the ongoing bear market.[3]
What Happened
"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."
"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."[4]
| Date | Event | Description |
|---|---|---|
| June 16th, 2022 2:47:58 AM MDT | Blockchain Transaction | The blockchain exploit transaction. |
| June 16th, 2022 3:51:00 AM MDT | Inverse Finance Tweet | Inverse Finance acknowledges the attack on Twitter[5]. They report that they have temporarily paused borrowing. |
| June 16th, 2022 4:33:00 AM MDT | PeckShield Summary | PeckShield shares a summary of the attack on Twitter[4]. |
| June 16th, 2022 6:53:28 AM MDT | Vault Insights Article | Vault Insights reports on the attack, a vulnerability related to price oracle manipulation, resulting in a profit of $1.26 million in BTC and USDT. The hacker manipulated asset balances in the pool to calculate the LP token price directly, altering the pool's reserves and enabling a flash loan attack. Inverse Finance temporarily halted its borrowing services in response to the hack and confirmed that its over-collateralized stablecoin DOLA was removed from its money market, Frontier. Security firm PeckShieldAlert suggested that the attack might have been carried out by a bot that front-ran the original hack. A previous significant exploit for Inverse Finance of $15.6 million in April is also referenced[3][6]. |
Technical Details
Hacking Transaction: [7]
Exploiter Wallet: [8]
"[T]he hacker misused the balances of assets in the pool to directly calculate the LP token price, further altering the reserves in the pool and facilitating a flash loan attack. The attacker quickly sold the stolen funds via Uniswap, further putting them through Tornado cash.
"The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool."
Movement Of Obtained Funds
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
Analysis From Peckshield
@InverseFinance was exploited in [7], leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger).
2/ To illustrate, we use the above tx and show the key steps below
3/ The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool.
4/ The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account https://etherscan.io/address/0x7b792e49f640676b3706d666075e903b3a4deec6…… and 1000 ETHs have been deposited to
@TornadoCash
Total Amount Lost
"Ethereum-based lending protocol, Inverse Finance, has witnessed its second hack this year. The DeFi lender was exploited via price oracle manipulation through which, the attacker made a profit of $1.26 million in BTC and USDT."
"@InverseFinance was exploited leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)."
The total amount lost has been estimated at $1,260,000 USD.
Immediate Reactions
The protocol’s official Twitter handle acknowledged the exploit and announced that they are temporarily halting the borrowing services because of the hack. Inverse Finance said its over-collateralized stablecoin DOLA was removed from its money market, Frontier. The DeFi platform tweeted — “We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon”."
"Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon."[5]
Ultimate Outcome
The Inverse Finance protocol ultimately implemented multiple policies to help secure the protocol. The importance of security was ultimately emphasized on an updated Inverse Finance website[9][10].
"We know the importance of security, especially for new lending protocols. Read our audit reports or work with us as we expand our third party security efforts."
Code4Rena Bug Bounty Contest
Nomoi Web3 Hacker Collective
DefiMoon Boutique Auditing Firm
Inverse Finance Peckshield Audits
Total Amount Recovered
The total amount recovered is unknown.
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
Ongoing Developments
"The initial fund (1 ETH) to launch the hack is withdrawn from @TornadoCash. Currently 68 ETHs of the illicit gains still stay in the hacker’s account and 1000 ETHs have been deposited to @TornadoCash"
Individual Prevention Policies
The Inverse Finance smart contract did not have any smart contract audit performed prior to the attacks. Users need to be extremely cautious when evaluating projects which haven't been audited.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
A third party smart contract audit would likely have uncovered the oracle manipulation vulnerability in the Inverse Finance protocol, preventing the loss. An industry insurance fund can assist victims, and also help with ensuring proper validation.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Introduction - Inverse Finance (Aug 25, 2023)
- ↑ 2.0 2.1 2.2 2.3 2.4 Inverse Finance Homepage (Aug 25, 2023)
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 3.6 DeFi Hack: Inverse Finance Exploited For The Second Time This Year - Vauld Insights (Aug 25, 2023)
- ↑ 4.0 4.1 4.2 Peckshield - "@InverseFinance was exploited in [a transaction], leading to the gain of ~$1.26M for the hacker (The protocol loss may be larger)." - Twitter (Aug 25, 2023)
- ↑ 5.0 5.1 Inverse Finance - "Inverse has temporarily paused borrows following an incident this morning where DOLA was removed from our money market, Frontier. We are investigating the incident however no user funds were taken or were at risk. We are investigating and will provide more details soon." - Twitter (Aug 25, 2023)
- ↑ Vauld Official - "DeFi Hack: Inverse Finance Exploited For The Second Time This Year" - Twitter (Oct 19, 2022)
- ↑ 7.0 7.1 Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 25, 2023)
- ↑ 8.0 8.1 Inverse Finance Exploiter - Etherscan (Sep 1, 2023)
- ↑ Inverse Finance Homepage (Aug 25, 2023)
- ↑ Inverse Finance Homepage Archive March 13th, 2022 4:14:01 PM MDT (Sep 1, 2023)
- ↑ Inverse Finance Docs - Audits (Sep 1, 2023)
- ↑ 12.0 12.1 12.2 12.3 https://docs.inverse.finance/inverse-finance/technical/audits (Sep 1, 2023)
- ↑ Inverse Finance Audit By Peckshield (Sep 1, 2023)