Inverse Finance DeFi protocol hacked for $11.7M dollars

Inverse Finance DeFi was hacked earlier today with hacker taking whopping 11.7 million dollars, with protocol loss being much larger as less will be using it from now on. This DeFi hack was made possible by making use of price oracle manipulation bug.

When INV, Inverse Finance’s token with highly manipulated price is used as collateral, it can be used to drain assets from Inverse Finance. Hacker made deposit of 901 Ethereum and manipulated the price. Due to bug in their smart contract, this allowed attacker to borrow $15.6M in DOLA, ETH, WBTC and YFI. This was not a flash loan attack.

Keep in mind this was a dangerous for hacker as well. If the hack failed, he would have lost access to 901 Ethereum as well. In other words, if anyone had frontruned the borrow transaction that would have been funny.

4) The initial funds to launch the hack are withdrawn from @TornadoCash and most of the result gains are deposited to @TornadoCash. Currently 73.5 ETH still stays in the hacker’s account. We are actively monitoring this address for any movement. pic.twitter.com/ghkNphyfXh

— PeckShield Inc. (@peckshield) April 2, 2022

Interestingly, hacker withdrew these funds and deposited the gains on Tornado Cash, which is an Ethereum mixing service.

4. The person or persons behind the price manipulation are encouraged to reach out via Twitter DM or Discord and discuss a generous bounty in exchange for returning the borrowed funds.

— Inverse+ (@InverseFinance) April 2, 2022

Inverse Finance has announced they will offer hacker a generous bounty if he offers to return borrowed funds. Well, let’s just say that if he does not, nobody will ever use Inverse Finance in future.