DeFi Lender Inverse Finance Exploited for $15.6M

The DeFi lender Inverse Finance alleged that it had been exploited for a sum of $15.6 million worth of DAI and USDC in an announcement on Wednesday, May 26th. The announcement stated that the protocol’s liquidity reserves for ETH/USDC and ETH/DAI had been drained by an unknown attacker at block 12172943.

The protocol is still investigating the cause of the hack, but from its initial analysis it suspects that the attacker exploited flash loans and arbitrage opportunities to drain funds from both reserves. The attack seems to have been executed through single transactions across multiple exchanges, rather than transferring funds between wallets. It’s also possible that another security vulnerability will be uncovered as the investigation continues, which could lead to more funds being compromised.

Inverse Finance is a decentralized finance (DeFi) lending protocol that allows users to lock up their crypto assets as collateral in exchange for an interest-bearing loan. The recently launched project was exploited on the evening of October 13th, when hackers began draining funds from the contracts that underlie the platform.

Inverse Finance is one of several DeFi projects that have suffered hacks in recent months, which have collectively stolen hundreds of millions of dollars’ worth of cryptocurrency.

Attackers were able to gain control of the private key of the Inverse Finance Ethereum wallet and drain all funds by moving them through a series of transactions.

A private key is used to sign transactions that originate from the wallet. When attackers were able to gain control of the private key, they were able to drain all funds by moving them through a series of transactions.

Inverse Finance announced today on Twitter that it had been successfully exploited for all funds, including $15.6 million in USDC, $1 million in DAI, and $465,000 in ETH.

Inverse Finance, a DeFi lending service offering interest on USDC deposits, announced today on Twitter that it had been successfully exploited for all funds, including $15.6 million in USDC, $1 million in DAI and $465,000 in ETH.

The attack relied upon faulty timestamping of Ethereum blocks. It is alleged that the attacker was able to manipulate this timestamping in order to insert fake transactions into the blockchain history at an early point, which allowed them to withdraw funds from Inverse as if they had been deposited at an earlier date than they were. This meant that the attacker could withdraw USD collateral from Inverse’s vaults before any deposit was made.

Inverse’s founder and lead developer Roman Storm reportedly discovered the bug on September 2nd 2020 but did not report it publicly until September 4th 2020 via his personal Twitter account after losing all funds held by the platform. The exploit affected over 20 Ethereum-based applications and protocols including Balancer Labs and Curve Finance according to Storm. As of this writing there are no plans by involved parties or developers to roll back transactions.

The DeFi aggregator’s head of finance had warned about the peculiar activity around the Inverse Finance protocols only a few hours before the attack took place.

After this report, a Twitter user @rektcapital informed that he had deposited $60,000 into an Inverse Finance vault and locked it for three days. After doing so, he could withdraw more than $580,000 worth of assets.

DeFi Inverse Finance was an insolvent protocol, as its native token IFV was trading at under one cent, but with substantial amounts of funds locked in its platform. The circulating supply was over $3 billion worth of IFV tokens.

The Inverse Finance protocol was insolvent in essence, as its native token IFV, which underpins the platform’s governance and operations, was trading at less than one cent on Uniswap. Still, users had locked massive amounts of funds into the protocol; according to DeFi Pulse data, Inverse Finance had $182 million of total value locked at the time of its hack.

As users rushed to withdraw funds from their respective wallets’ private keys following the hack, they also sold through all IFV tokens, with a circulating supply worth more than $3 billion changing hands within a few hours of users being notified.

As of press time, Inverse Finance remains offline. A key question arising from this hack is how safe the funds are if they are transferred to other DeFi protocols. Other questions include whether or not the funds will be returned and what role decentralized exchanges will play in funding restoration.

Various users on social media have also raised questions about Inverse Finance’s security practices and protocols, especially in light of the decentralized nature of its governance structure. For example, several users alleged that the attack vector was due to a vulnerability found back in January 2021 that was reported to Inverse Finance but ultimately not fixed.

Inverse Finance said it is taking legal action against the attacker and working with relevant authorities to retrieve funds from cryptocurrency exchanges where the stolen assets were sent to:

“We are taking this very seriously, and we assure you that we are sparing no expense in making sure that this attacker will be held accountable.”

Vulnerability in DeFi led to exploit

The exploit was made possible by a smart contract vulnerability. This isn’t the first time a smart contract has been exploited, but this attack was particularly successful.

Smart contracts are not unique to DeFi. They have been used in other blockchain applications as well, including one of the most popular projects on Ethereum—CryptoKitties.

A smart contract is a set of rules that details how and when an action occurs on a blockchain network. Once written, it cannot be changed unless a consensus is reached among all the nodes in that blockchain network. Because of their immutability, smart contracts are expected to be secure and immutable; however, there are many cases where vulnerabilities were exploited due to non-robust or incomplete code.

To prevent vulnerabilities from being exploited in this way again, it’s important for DeFi developers to learn how to write good solidity code (the language used for writing smart contracts) and test it thoroughly before deploying it onto any blockchain network.