Cyber Incident Victim: Inverse Finance
Date:
Apr 2022
Location:
United States of America
Summary
A decentralized finance protocol suffered a $15.6 million exploit involving oracle manipulation, where an attacker artificially inflated the price of its native token through coordinated trades on a decentralized exchange. The perpetrator withdrew substantial Ethereum from a privacy service, injected funds into liquidity pools to distort token valuations, and borrowed multiple cryptocurrencies against the inflated collateral before arbitrage corrected prices. Stolen assets included Ethereum, Wrapped Bitcoin, Yearn Finance tokens, and stablecoins, with most laundered through mixing services. The platform temporarily halted borrowing operations, initiated recovery efforts including repayment proposals for affected users, and collaborated on implementing more secure oracle infrastructure. Blockchain analysts attributed the attack’s success to price feed vulnerabilities and sophisticated transaction obfuscation techniques that delayed market corrections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 2, 2022, decentralized finance (DeFi) lending protocol Inverse Finance suffered a $15.6 million exploit targeting its Anchor money market. The attacker withdrew 901 ETH (approximately $3 million) from cryptocurrency mixer Tornado Cash to obscure the funds' origin, then executed a series of trades primarily in the INV/DOLA liquidity pool on decentralized exchange SushiSwap. These trades artificially inflated the price of Inverse Finance's native INV token from its normal level to $20,926 by manipulating the Keep3r price oracle used by the protocol. With INV's price temporarily elevated, the attacker deposited the undervalued tokens as collateral on Anchor and borrowed 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA stablecoins. The attacker transferred the stolen assets to a new wallet and cycled most funds through Tornado Cash to launder them, though 73.5 ETH ($250,000) remained traceable in the original Ethereum wallet. To prevent arbitrageurs from correcting INV's price during the attack, the perpetrator used spam transactions to clog the network and delay market corrections. After the price manipulation, INV's value returned to normal levels, triggering automatic liquidation of the attacker's collateral—though the liquidation occurred after the funds had been successfully extracted. Blockchain security firm PeckShield first identified the attack and attributed it to oracle manipulation vulnerabilities.
Inverse Finance immediately paused all borrowing on Anchor following the exploit and announced collaboration with Chainlink to develop a more secure price oracle for INV. The protocol publicly addressed the attacker via Twitter and Discord, offering a "generous bounty" for the return of borrowed funds while acknowledging repayment might take weeks or months to implement. The primary impact affected users who had staked WBTC, ETH, YFI, and DOLA on Anchor, as these assets were drained from the platform. Inverse Finance stated it would submit a proposal to its decentralized autonomous organization (DAO) to fully reimburse affected wallets but provided no specific timeline or funding mechanism. Forensic analysis revealed the attacker's high-risk strategy required maintaining INV's artificial price long enough to extract loans before market corrections—a failure would have resulted in the loss of the initial $3 million investment. The incident marked the third major DeFi exploit reported that week, following the $625 million Ronin Network breach and Ola Finance's $3.6 million loss. Inverse Finance maintained borrow market suspensions for several days during oracle code revisions and security reviews while continuing recovery efforts for compromised user funds.