DeFi Protocol Inverse Finance Exploited for $1.2M

Attackers used a flash loan attack to drain the open-source protocol outfit of bitcoin and tether.

AccessTimeIconJun 16, 2022 at 11:57 a.m. UTC
Updated May 11, 2023 at 4:41 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Ethereum-based decentralized finance (DeFi) tool Inverse Finance was exploited for more than $1.2 million worth of cryptocurrency on Thursday morning, on-chain data appears to show.

Exploiters seemed to use a flash loan attack to trick the protocol and steal more than 53 bitcoin, worth $1.1 million, and 10,000 tether (USDT), a stablecoin backed on a 1-1 basis with U.S. dollars. The exploit comes just over two months after attackers stole $15 million worth of cryptocurrencies from Inverse Finance in a similar attack, as previously reported.

During European hours Thursday, Inverse Finance developers paused borrowing functions for users and said they were investigating the incident.

Flash loans are a DeFi-specific mechanism allowing users to borrow high amounts of capital on little collateral as long as the loan is paid back within the same transaction. They are generally used by traders, but bad actors may use flash loans to trick a protocol’s smart contract into manipulating prices on liquidity pools and take over that pool’s assets.

Blockchain data apparently shows the exploiters flash-borrowed some 27,000 wrapped bitcoin from lending protocol Aave to conduct the attack. The funds were routed through swap service Curve for various stablecoins before being used to remove DOLA, a stablecoin, from Inverse Finance pools.

Attackers deployed a flash loan attack to steal the funds, blockchain data apparently shows. (Etherscan)
Attackers deployed a flash loan attack to steal the funds, blockchain data apparently shows. (Etherscan)

An address tagged as “Inverse Finance Exploiter” on blockchain analysis tool Etherscan apparently sent 900 ether, worth $1 million, to privacy mixer Tornado Cash following the exploit, data shows.

Tornado Cash allows users to mask addresses and is sometimes employed by attackers to hide their stolen funds.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about