‘Inverse Finance’ Exploited Again In $1.2 Million Flash Loan Attack

To make matters worse, this is the second such incident for Inverse Finance after US$15.6 million was stolen in an exploit just three months ago.

Flash Loan Attack

Flash loans are DeFi-specific crypto loans in which large amounts of capital can be borrowed with little collateral, provided the loan is paid back within the same transaction.

While typically used by traders, hackers have demonstrated success in being able to trick a protocol’s smart contract into manipulating prices and then taking over the liquidity pool’s assets.

This is a so-called “flash loan attack”, a technique utilised by the exploiter in this latest incident, confirmed by security firm PeckShield:

On-chain data reveals that the culprit flash-borrowed 27,000 wrapped bitcoin from lending protocol Aave to conduct the attack. The funds were subsequently routed through swap service Curve for various stablecoins before being used to remove DOLA, a stablecoin, from Inverse Finance pools.

In total, the exploiters managed to steal more than 53 bitcoin, worth US$1.1 million, and 10,000 tether (USDT). As a result, Inverse implemented a temporary pause on its lending:

Since the exploit, an address tagged “Inverse Finance Exploiter” has apparently been sent 900 ETH, worth around US$1 million, to Tornado Cash, a privacy mixer often used when attackers wish to conceal their funds.

‘Generous Bounty’ Offered

In a post-mortem, Inverse Finance encouraged the person(s) behind the incident to return the funds for a “generous bounty”. And to mitigate the risk of further incidents, it added that it had retained the services of security experts to not only further understand the breach, but also to prevent further such instances in the future.