On June 16, 2022, De-Fi protocol of the Inverse Finance Exploiter was hacked, as the result $1.2 million was stolen. The price drop of the project's INV coin was about 10%.
De-Fi network of the Inverse Finance Exploiter combines a new cryptocurrency, advanced lending protocols and synthetic assets that provide a unique experience for the investors.
Recently, in April, this year, the service has already been hacked. That time more than $15.6 million was stolen, and now the theft again. Last time the attackers recovered the funds they had stolen, with keeping about $250 000 for themselves.
According to the PeckShield research team, the first hack occurred on April 2, 2022 at 11:00 a.m. UTC. Hackers were able to withdraw WBTC, YFI, DOLA, xINV and INV tokens. Some of the funds, were transferred to the Tornado.Cash crypto mixing service. Apparently, hackers were able to exploit a vulnerability in the Inverse Finance smart contract for INV price manipulation, the project's token for protocol management. The attackers did so by exchanging 500 ETH on the SushiSwap platform.
The TokenScope Team decided to look into the circumstances of the recent attack and to reveal the withdrawal paths.
Inverse Finance posted a message about the attack on its Twitter feed on June 16, 2022:
Hackers created an Inverse Finance 0xf508c58ce37ce40a40997C715075172691F92e2D contract on June 16, 2022, for stealing the funds. Attackers deposited funds from both the UniSWAP exchange and from Inverse Finance liquidity pool. The amount of 1 068 ETH was transferred to the address 0x7b792e49f640676b3706d666075e903b3a4deec6, from which by 10 transactions of 100 ETH each (totaling 1 000 ETH) funds were sent to the Tornado.Cash crypto mixer address 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b, while 68 ETH remained on the address.
The hack was possible due to the ORACLE price manipulation, which incorrectly proceeded the asset balances in the pool to calculate the price of the token. Quick loans made it even easier to distort the reserves in the pool, so the hackers took this advantage.
Thus, as the result of a vulnerability in the smart contracts of the Inverse Finance Exploiter service, the service has been hacked twice during the last 3 months. Both attacks resulted in the theft of the users’ funds that were laundered via the Tornado.Cash service. Tornado.Cash service is a popular crypto mixer with which we already came across as a service related to money laundering activity.
Considering the frequency of the attacks and the INV currency price manipulation, it is possible that these attacks are custom-made and aimed to attract attention to the Defi-based Inverse Finance service.