• Notifications Markets & Prices
      View more
    • Language & Exchange Rate Switch
    • Preference Settings
      Rise/fall colour
      Start-End Time of the Change
    Web3 Exchange
    Gate Blog

    Your Gateway to crypto news and insights

    Gate.io Blog Inverse Finance lost $15 million in an Exploit

    Inverse Finance lost $15 million in an Exploit

    20 April 08:43


    In a week of heavy losses for Defi projects, another Defi-based protocol, Inverse Finance, lost $15 million in an exploit. Within the week of the 27th of March to the 2nd of April, Ronin Network was exploited for $625 million in what is currently the largest exploitation in Defi history.

    Within that week, Ola Finance also announced that they had been exploited for $4.6 million.

    Inverse Finance is an Ethereum-based lending protocol and was created in 2020. It has grown to become a Decentralized Autonomous Organization (DAO) with the INV token as the governance token for the ecosystem. The other product offered is the DOLA token, a USD stablecoin that enables borrowing on the protocol. Anchor is the money market that facilitates borrowing via the DOLA or other tokens such as ETH.


    How Did the Exploit Occur?



    In a Twitter post, Inverse Finance reported that the Anchor money market was manipulated. According to the tweet, the hacker exploited a security breach in the Sushiswap Oracle protocol that allowed them to borrow $15.6 million worth of DOLA, ETH, WBTC, & YFI.


    Peckshield, which is a blockchain security and data analytics company, released a couple of tweets concerning the situation. According to the tweets, the hacker exploited a price Oracle manipulation bug. The hacker manipulated the INV price such that there was a sharp price increase, and it was used as collateral in borrowing funds from the platform. According to the Etherscan report, nine tokens were transferred during the transaction. The hacker stole 1,588 ETH, 1,156 xINV, 94 WBTC, 4,000 DOLA, 1,780 INV, 39 YFI which all amounted to $15.6 million.


    Aftermath of the Exploit



    After the exploit, Inverse Finance is reportedly making efforts to repay all the affected users. They have also paused borrowing on the Anchor money market as they aim to remediate the situation. Being a DAO with quite a lot of public interests, Inverse Finance organized a Twitter Space where they gave updates to stakeholders in the DAO.

    Some of the updates from the Twitter Space include that Chainlink will replace the TWAP Oracle which is used in the Anchor Money Market. However, the upgrade will be made when the INV price feed meets the liquidity requirements. A Twitter user, "ChainLinkGod" who serves as a community ambassador for Chainlink gave a slight breakdown of some of the implications of the TWAP oracle bug. They include
    To many blockchain beginners, one concept that was brought to light through this exploit is oracles. The Inverse Finance hacker exploited a vulnerability in the TWAP oracle. Now the question is, What are Oracles?



    What are Oracles?



    An oracle in blockchain describes a third party that provides reliable data outside what is available within the blockchain. Essentially like an oracle in historical times, they have access to information beyond the public space. In the case of blockchain, they are not built to interact with public sources, and they primarily store data generated within the chain. Hence, there's a need for additional protocols before they can interact with the off-chain sources.

    In cases where smart contracts are based on events outside the blockchain, oracles are needed to ensure the secure delivery of information from off-chain to on-chain sources.

    For the case of Anchor Money Market by Inverse Finance, Uniswap Time Weighted Average Protocol (TWAP) was the price oracle used to provide exchange rates between the Ethereum-based tokens. What is Chainlink?Chainlink is a decentralized network of oracles that provides data from off-chain sources to on-chain sources. They help to connect smart contracts to real-world information outside the blockchain in a secure manner. Chainlink is an Ethereum based network, and it is secured by the Proof-of-Stake consensus mechanism.

    Just like TWAP, Chainlink also provides price feeds for Ethereum-based tokens. In this article by SmartContent, a comparison is made between Chainlink and TWAP. One of the clear comparative advantages Chainlink has over TWAP, as noted in the report and the tweet by ChainLinkGod is that TWAP time sampling is too short.

    Another significant advantage as noted in the article is that TWAP does not offer scalable security while Chainlink Price Feeds offers higher protection to the oracle network as the value rises.


    Conclusion



    A Medium article by Nour Haridy, the founder of Inverse Finance, gives a breakdown of how the platform is expected to operate. After the unfortunate incident, the hacker has not communicated, even though they have offered a bounty for returning the lost funds.
    It is expected that critical steps will be taken by the Defi platform to prevent a further repeat of the incidents.



    Author: Gate.io Observer: M. Olatunji
    Disclaimer:
    * This article represents only the views of the observers and does not constitute any investment suggestions.
    *Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.
    ETH/USDT + 2.78%
    BTC/USDT + 0.13%
    GT/USDT + 0.86%
    DAO/USDT + 1.15%
    YFI/USDT -1.66%
    INV/USDT -1.26%
    Unbox Your Luck and Get a $6666 Prize
    Register Now
    Claim 20 Points now
    New User Exclusive: complete 2 steps to claim Points immediately!

    🔑 Register an account with Gate.io

    👨‍💼 Complete KYC within 24 hours

    🎁 Claim Points Rewards

    Claim now
    Language and Region
    Exchange Rate

    Select language and region

    Go to Gate.TR?
    Gate.TR is online now.
    You can click and go to Gate.TR or stay at Gate.io.