On Saturday, Inverse Finance (INV), an Ethereum-based lending platform, revealed that it had been hacked and that a hacker had made off with $15.6 million in cryptocurrency.
It’s the third multimillion-dollar cryptocurrency attack in the previous few days to make headlines.
According to Inverse, the attacker targeted the Anchor (ANC) money market, manipulating token values to borrow money with little or no collateral.
How did the hack happen?
According to blockchain security startup PeckShield, the Inverse attacker exploited a flaw in a Keep3r pricing oracle that Inverse uses to track token values. The attacker convinced the oracle that Inverse’s INV token was incredibly valuable, then borrowed millions of dollars from Anchor with the inflated INV as collateral.
To carry out the hack, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash, a cryptocurrency that allows users to send money without leaving a trail.
The mysterious funds were subsequently pumped into multiple trading pairings on the decentralized exchange SushiSwap, increasing the price of INV in the view of the Keep3r price oracle.
Once the price of INV had increased sufficiently, the attacker took out INV-backed loans on Anchor, before arbitrageurs dropped the price of INV back to normal levels.
According to a PeckShield executive, the attempt was high-risk because the $3 million worth of crypto used to fool the pricing oracle would have been fully lost if the price oracle had been hacked off Before the attacker took out the loans, INV had restored to normal levels.
In total, the attacker took 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA. Most of the assets have been cycled back through Tornado Cash, making it difficult to predict where they will wind up, although 73.5 ETH (about $250,000) remains in the attacker’s initial account.
How many more to come?
This is the third multi-million dollar hack of decentralized finance (Defi) protocol to hit the news this week, highlighting attackers’ increasingly sophisticated tactics. On Tuesday, the gaming-focused Ronin network announced a crypto loss of more than $625 million, and two days later, lending protocol Ola Finance confirmed a $3.6 million attack.
ALSO READ: Fractal Is Speculated To Make A Splash In NFT Space After $35M Seed Round Fundraising
Source: https://www.thecoinrepublic.com/2022/04/06/inverse-finance-hacked-hacker-made-off-with-15-6m/