The Inverse Finance hack
Oracle Manipulation
Inverse Finance is a decentralized platform for lending, borrowing, and creating synthetic assets and is powered by its Ethereum token (INV).
This token is used to govern Inverse Finance products and can be used to vote for future upgrades. Inverse Finance helps users maximize their earnings via revenue sharing, accumulating high yields with sustainable APYs, and benefiting from low-cost stable coin borrowing through DOLA which is their over-collateralized stablecoin.
Today, being the 2 of April, 2022 Inverse Finance users lost money. They were victims of a very sophisticated hack. In this hack, $15.6m was stolen (1588 ETH, 94 WBTC, 4M DOLA, 39.3 YFI).
How it happened:
As with all hacks, the Genesis can be traced right back to Tornado Cash. This hack wasn’t any different. https://etherscan.io/tx/0x600373f67521324c8068cfd025f121a0843d57ec813411661b07edc5ff781842
If you look at the picture above, you’ll see that the hacker withdrew 901 Eth from tornado cash. Then they transferred 1.5 Eth to 241 new addresses via Disperse and then deployed five different smart contracts. But if you look closely, you’ll see that only one out of the five contracts was real.
The hacker then proceeded to swap 500 ETH to 1.7k INV. This was to significantly affect the price due to the low liquidity on the INV-WETH pair on Sushiswap. At the same time, the hacker began spamming transactions with an exploit so as to be able to get into the next block which would have an inflated price from Sushiswap. Of course, the hacker wasn’t a noob. They were meticulous. They had many addresses and smart contracts that was employed to confuse generalized bots that could have ordinarily front-ran their transactions. (However, if it were in the dark forests of Ethereum, this hack would have probably failed and the hacker would have lost his initial deposit because other flashbots operators could have initiated arbitrage to balance Pairs.)
The Inverse Finance oracle through Keeper Network, ended up using Sushiswap TWAP as an oracle. The hacker probably knew about this, and used the price oracle manipulation bug to their advantage. This oracle simply uses the *most recent* observation to calculate the average price without checking whether the observation was made long enough back in time.
It returned price and made the INV token on the platform to get very expensive. This then allowed the hacker to deposit their 1.7k INV as collateral to borrow and steal $15.6m
On noticing what happened, the devs had to pause borrows.
Oracle Manipulation bug:
https://github.com/InverseFinance/anchor/blob/master/contracts/InvFeed.sol#L3
The Keeper Oracle has a `lastUpdatedAgo` and an “unsafe” function but it wasn’t checked. It could have checked the value and maybe throw an error if it was too recent but instead, the Inverse contract totally ignored it. The `current` function on Keeper’s oracle is very much vulnerable to manipulations and Inverse should have used the other functions that were readily available in the contract.
It is important to note that the attacker manipulated both the DOLA/INV price and the WETH/INV price.
Why? Because if they only manipulated the SushiSwap pool from which the keep3r oracle was taken, then they would have exposed an arbitrage opportunity. INV is thinly traded and only listed on two illiquid DEX markets on Sushi. So, by manipulating both pools, the attacker cut off the potential for on-chain arbitrage bots and MEV searchers to kill their manipulation.
The Inverse finance hack is now an eye opener for other projects and it shows why Twap price oracles are not elixirs for lending markets. Collateral power should not be given to illiquid assets and protocols rushing to get into fixed rate low liquid assets could get hurt really bad.
The combination of price manipulation, bad debt, drop in liquidity and demand, temporarily depegged the DOLA for some minutes but it quickly regained its peg and continued generating revenue needed to liquidate bad debt and regain full Anchor solvency. This might be a somewhat bullish scenario as it shows that DOLA probably has the most swift and powerful peg enforcement tool in any stablecoin
The initial funds to launch the hack were withdrawn from Tornado Cash and most of the gains from the exploit has been deposited back to Tornado Cash with only 73.5 ETH still in the hacker’s account.
Inverse Finance has assured users that all wallets impacted by the price manipulation would be repaid in full and they would fiercely defend DOLA’s USD peg using the DOLA Fed monetary policy.