In a week of heavy losses for Defi projects, another Defi-based protocol, Inverse Finance, lost $15 million in an exploit. Within the week of the 27th of March to the 2nd of April, Ronin Network was exploited for $625 million in what is currently the largest exploitation in Defi history.
Within that week, Ola Finance also announced that they had been exploited for $4.6 million.
Inverse Finance is an Ethereum-based lending protocol and was created in 2020. It has grown to become a Decentralized Autonomous Organization (DAO) with the INV token as the governance token for the ecosystem. The other product offered is the DOLA token, a USD stablecoin that enables borrowing on the protocol. Anchor is the money market that facilitates borrowing via the
DOLA or other tokens such as ETH.
How Did the Exploit Occur?
In a Twitter
post, Inverse Finance reported that the Anchor money market was manipulated. According to the tweet, the hacker exploited a security breach in the Sushiswap Oracle protocol that allowed them to borrow $15.6 million worth of DOLA, ETH, WBTC, & YFI.
Peckshield, which is a blockchain security and data analytics company, released a couple of tweets concerning the situation. According to the tweets, the hacker exploited a price Oracle manipulation bug. The hacker manipulated the INV price such that there was a sharp price increase, and it was used as collateral in borrowing funds from the platform. According to the
Etherscan report, nine tokens were transferred during the transaction. The hacker stole 1,588 ETH, 1,156 xINV, 94 WBTC, 4,000 DOLA, 1,780 INV, 39 YFI which all amounted to $15.6 million.
Aftermath of the Exploit
After the exploit, Inverse Finance is reportedly making efforts to repay all the affected users. They have also paused borrowing on the Anchor money market as they aim to remediate the situation. Being a DAO with quite a lot of public interests, Inverse Finance organized a Twitter Space where they gave updates to stakeholders in the DAO.
Some of the updates from the Twitter Space include that
Chainlink will replace the TWAP Oracle which is used in the Anchor Money Market. However, the upgrade will be made when the INV price feed meets the liquidity requirements. A Twitter user, "ChainLinkGod" who serves as a community ambassador for Chainlink gave a slight breakdown of some of the implications of the TWAP oracle bug. They include
To many blockchain beginners, one concept that was brought to light through this exploit is oracles. The Inverse Finance hacker exploited a vulnerability in the TWAP oracle. Now the question is, What are Oracles?
What are Oracles?
An oracle in blockchain describes a third party that provides reliable data outside what is available within the blockchain. Essentially like an oracle in historical times, they have access to information beyond the public space. In the case of blockchain, they are not built to interact with public sources, and they primarily store data generated within the chain. Hence, there's a need for additional protocols before they can interact with the off-chain sources.
In cases where smart contracts are based on events outside the blockchain, oracles are needed to ensure the secure delivery of information from off-chain to on-chain sources.
For the case of Anchor Money Market by Inverse Finance, Uniswap Time Weighted Average Protocol (TWAP) was the price oracle used to provide exchange rates between the Ethereum-based tokens. What is Chainlink?Chainlink is a decentralized network of oracles that provides data from off-chain sources to on-chain sources. They help to connect smart contracts to real-world information outside the blockchain in a secure manner. Chainlink is an Ethereum based network, and it is secured by the Proof-of-Stake consensus mechanism.
Just like TWAP, Chainlink also provides price feeds for Ethereum-based tokens. In this article by
SmartContent, a comparison is made between Chainlink and TWAP. One of the clear comparative advantages Chainlink has over TWAP, as noted in the report and the tweet by ChainLinkGod is that TWAP time sampling is too short.
Another significant advantage as noted in the article is that TWAP does not offer scalable security while Chainlink Price Feeds offers higher protection to the oracle network as the value rises.
Conclusion
A
Medium article by Nour Haridy, the founder of Inverse Finance, gives a breakdown of how the platform is expected to operate. After the unfortunate incident, the hacker has not communicated, even though they have offered a bounty for returning the lost funds.
It is expected that critical steps will be taken by the Defi platform to prevent a further repeat of the incidents.
Author: Gate.io Observer:
M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.