The exploit had no effect on user funds, but Inverse Finance had accrued a debt and offered the attacker a bounty in exchange for the stolen monies. Inverse Finance was targeted with a flashloan exploit just two months after losing $15.6 million in a pricing oracle manipulation assault.
The attackers made off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). The most recent hack was manipulating the price oracle for a liquidity provider (LP) token used by the protocol’s money market application with a flashloan. The attacker was able to borrow more of the protocol’s stablecoin DOLA than the amount of collateral they put up, allowing them to pocket the difference.
The hack comes just over two months after a similar April 2 exploit, in which attackers used a pricing oracle to intentionally manipulate collateralized token prices in order to drain cash.
Inverse Finance momentarily halted borrowing and removed its DOLA stablecoin from the money market in response to the hack, claiming that no customer funds were at risk.
The attackers made a total of 99,976 USDT and 53.2 WBTC from the hack, which they converted to ETH before sending through the cryptocurrency mixer Tornado Cash to hide their illicit earnings.
