Hackers are at it again, and this time an open-source protocol for lending becomes the latest victim.
Inverse Finance, a borrowing technology built on top of the Ethereum blockchain, said Saturday that it had been hacked.
According to various news reports, the crooks made off with $15.6 million worth of stolen cryptocurrency.
The attacker targeted the Anchor (ANC) money market, obtaining loans with negligible collateral following a manipulation of token prices to drive them down, reports said.
Blockchain security firm PeckShield claims the Inverse attacker exploited a Keep3r price oracle’s vulnerability to steal tokens.
Hackers Trademark Deception
The approach deceives the oracle into believing the Inverse INV token has skyrocketed in value. From there, it appears as though the attacker obtained multimillion-dollar loans using INV as collateral.
As a result of the incident, Inverse Finance has temporarily halted borrowing on Anchor.
To carry out the attack, the hacker required $3 million in ETH from Ethereum-based mixer Tornado Cash.
The attacker then injected the unknown funds into various trading pairs on the decentralized exchange SushiSwap, boosting the price of INV in the Keep3r price oracle.
Third Major Attack
This is the third multimillion-dollar hack of a DeFi protocol in the last week, highlighting cybercriminals’ ever-evolving techniques.
Another lending protocol, Ola Finance, suffered a $3.6 million loss on Friday. On Wednesday, the Ronin network, a gaming-focused website, was robbed of more than $625 million.
BTC total market cap at $924.01 billion on the daily chart | Source: TradingView.com
The Ronin hack, according to sources, involves the theft of five accounts. Crypto is a highly hacked area – $14 billion was stolen and scammed away last year from unsuspecting individuals or corporate entities.
The Usual Route
Flora Li, the chief of the Huobi cryptocurrency exchange’s Research Institute, explained that the vulnerability stemmed from shortcuts used to ease network constraints as the hacking activity gained popularity. Hackers subsequently exploited the shortcuts.
The Inverse hackers carted off with some 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA in total.
Although the hacker has cycled the majority of the funds back through Tornado Cash, it is unclear where the funds will end up as around 73.5 ETH (about $250,000) remains in the cybercriminal’s original Ethereum wallet.
An Inverse official said the protocol is collaborating with Chainlink to develop a new INV oracle.
Meanwhile, according to data released by DefiLlama, the total value locked (TVL) in protocols across all chains presently amounts at $231 billion.
Featured image from TheNewsCrypto, chart from TradingView.com