Inverse Finance stung for $1.2 million via flash loan attack
Just cryptocurrency things
A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.
"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."
And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."
That appears unlikely given reports that the attacker has routed the funds through Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.
The $5.83 million net loss represents funds borrowed by the attacker from the DAO to conduct the attack. So Inverse Finance is counting it as bad debt rather than funds that need to be repaid to any individual.
The DAO, founded by Nour Haridy in 2020, doesn't provide much detail about those running things, if anyone can be said to be running things in a "decentralized autonomous organization."
Inverse Finance made the news in April after being exploited for $15.6 million.
The Register reached out to those associated with Inverse Finance via Twitter and Discord in the hope of asking a few questions.
We managed to reach Patb via Discord. Here's how the conversation went (with minor editing for proper capitalization and readability):
ElReg: Is Inverse Finance actually a company that's incorporated anywhere? Or just a group of people?
Patb: Not incorporated – a DAO. Can you share a bit of background on what you are writing?
ElReg: Working on a story about the recent $1.2m hack. So how do DAOs work from a legal perspective? If disgruntled investors want to sue someone, do they name principals individually? And do you know whether the hack was the result of a bug in your smart contract code? Or was it the result of code others had authored?
Patb: Not our smart contract code.
ElReg: Can you elaborate? Any idea how the bug came to be? Also, how come the people on the team are not fully named apart from Nour? It seems like including that sort of information would help build trust. I'd not want to invest funds in an entity with no fixed address and few identified principals.
At that point, the conversation stopped for 18 minutes. Patb finally responded with a link to the Inverse Finance post cited above. A further question remained unanswered at the time this story was filed.
- Despite ban, China surges back to second place on bitcoin mining charts
- Crypto market crashes on Celsius freeze, inflation news
- Clipminer rakes in $1.7m in crypto hijacking scam
- Bill Gates says NFTs '100% based on greater fool theory' amid crypto cataclysm
Patb's blog post provides details about what happened, but these are rather difficult to decipher for those not steeped in cryptocurrency jargon:
The affected market – yvcrv3crypto – utilized Chainlink price data instead of the internal exchange rate of the Curve protocol, which allowed the attacker to flashborrow 27,000 in wBTC and trade it into the tricrypto pool, which caused the price of the yvcrv3crypto LP token to jump in value, in the eyes of the oracle and created an opportunity to borrow DOLA against that collateral in Frontier.
While we did incorporate Chainlink oracles as part of our own price feed to determine the underlying asset price for the yvcrv3crypto LP token, the actual AMM LP token price feed of the token in this incident was manipulated much higher, enabling the attacker to execute the incident. It is worth noting that this oracle implementation was reviewed by a competent third-party team as well. By relying on the Chainlink oracle for individual tokens, which was correct, the price feed incorrectly calculated the value of the AMM LP tokens.
Basically, the attacker used a flash loan – a loan taken out and immediately paid back – to dupe the protocol and obtain control of assets.
According to Patb's post, Inverse Finance is "adding additional security operations talent to the Inverse team." That follows "a competent third-party team to review the architecture and implementation of the oracle involved in today’s incident" and contributions and consulting that followed the incident in April.
In case you're still unclear on what a DAO is or why anyone would put money into such a thing, you might find an answer of sorts at Investopedia, among other resources for deciphering the deliberately obtuse terminology of the cryptocurrency world.
Here's one salient passage: "The developers of the DAO believed they could eliminate human error or manipulation of investor funds by placing decision-making power into the hands of an automated system and a crowdsourced process."
Let that sink in. Maybe even read it a second time.
As for Inverse Finance, at least the thief didn't abscond with the venture's optimism.
"We are also taking immediate steps to incentivize additional liquidity in the DOLA-3POOL," Patb's post concludes. "More information on this is coming soon." ®
- AdBlock Plus
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Insider Trading
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Programming Language
- Quantum key distribution
- Remote Access Trojan
- Retro computing
- RSA Conference
- Search Engine
- Software bug
- Software License
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust