A decentralized finance (DeFi) protocol called Inverse Finance suffered a flash loan exploit on Thursday, with the hacker making off with about $1.2 million. Notably, this comes after Inverse Finance had become a target of a $15 million exploit in April.
In today's incident, an unknown perpetrator executed a flash loan attack using 27,000 wrapped bitcoin (worth about $579 million) at around 4:47 a.m. ET, according to on-chain data. The exploited funds included 53 BTC and 100,000 USDT.
Further analysis of blockchain data shows that the exploited funds were sent to Tornado Cash, a popular transaction mixer on the Ethereum network.
PeckShield, a security firm that first noted the incident, said the protocol loss may be larger than the $1.2 million sum pocketed by the exploiter.
Flash loans are loans taken out with a requirement that the borrowed sum be returned in the same transaction. While flash loans are meant for arbitrage trading and improving capital efficiency, hackers have abused them to manipulate DeFi price data feeds — known as oracles — and carry out exploits.
"The hack is made possible due to the price oracle manipulation, which misuses the balances of assets in the pool to directly calculate the LP token price. It is greatly facilitated by the flashloan to skew the reserves in the pool," PeckShield said.
To update its community, Inverse stated in a Twitter post that it has temporarily paused borrows and was still investigating.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.