DeFi Lender ‘Inverse Finance’ Exploited for $15.6 Million

Inverse Finance, a decentralised lending protocol built on Ethereum, has lost over US$15 million in the latest multimillion-dollar DeFi hack of the year. Hackers were able to lean on an exploit and take out massive loans and get away through Tornado Cash.

As spotted by blockchain analytics firm PeckShield, the lending protocol had 4300 ETH stolen:

The hackers targeted Inverse’s Anchor (ANC) money market by artificially manipulating token prices to borrow loans against extremely low collateral:

The hackers were funded with 901 ETH (US$3 million) from Tornado Cash in order to pull off the exploit. By tricking the price oracle into thinking the native INV token was at a much higher price, massive loans were then taken out on Anchor using INV as collateral.

This was done by injecting the funds into several trading pairs on SushiSwap, inflating the price of INV. A representative from PeckShield told CoinDesk that “the attack was high-risk, since the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV [had fallen] back to normal levels before the attacker took out the loans”.

Inverse’s Plan of Action

Inverse has since paused all borrowing and stated in a thread that a plan would be sent to governance to “ensure all wallets impacted by the price manipulation are repaid 100 percent”, adding that it would not mint new INV to repay affected users, which might affect its already falling price.

A bounty has been made available to the hacker but no further updates have been issued. To minimise the risk of future problems like this one, a representative for the protocol added that it is working with Chainlink to build a new INV oracle.

This event only adds to the list of DeFi hacks to have occurred this year. In March, Deus Finance was exploited for US$3 million in a flash loan attack, while in February QiDao also suffered a multimillion-dollar exploit.