Inverse Finance was targeted with a flash loan hack merely two months after losing $15.6 million in a price oracle tampering assault. The attackers made off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (wBTC).
A flash loan is a sort of crypto loan that is usually acquired and returned in a single transaction, while Inverse Finance is an Ethereum-based decentralized finance (DeFi) system.
The most recent vulnerability was manipulating the pricing oracle for a liquidity provider (LP) token used by the protocol’s money market application with a flash loan.
This permitted the attacker to borrow a higher quantity of Dola (DOLA), the protocol’s stablecoin, than the sum of collateral they submitted, allowing them to steal more of the protocol’s stablecoin.
Inverse Finance suffered a similar attack
The hack follows just over two months after an identical April 2 exploit, in which attackers used a pricing oracle to intentionally alter collateralized token prices in order to drain cash.
Inverse Finance responded to the attack by temporarily suspending borrowing and removing DOLA from the money market while it examined the event, claiming that no user funds were at risk.
It was eventually revealed that the incident solely harmed the attacker’s deposited collateral and that it only acquired a liability to itself due to the stolen DOLA. The attacker was asked to return the funds in exchange for a “generous prize.”
The attackers made a total of 99,976 USDT and 53.2 wBTC from the attack, which they converted to ETH before sending through the cryptocurrency mixer Tornado Cash to hide their illicit earnings.
Attackers made off with $15.6 million in Ether (ETH), wBTC, Yearn.Finance (YFI) and DOLA in the previous attack in April.
In March, the DeFi marketplace Deus Finance was hacked, with attackers altering a price pairing within an oracle, resulting in a gain of 200,000 Dai (DAI) and 1101.8 ETH, valued at over $3 million at the time.
Beanstalk Farms, a credit-based stablecoin system, lost all of its $182 million in collateral in a flash loan assault triggered by two malicious governance proposals, which ultimately drained the protocol’s money.