Skip to content

Oracle Attacks #1 — Inverse Finance, $15M stolen

  • by

We are starting off our new mini-series about important Oracle Hacks and Manipulations. At the beginning, we would like to point out that we’re far from criticizing and condemning any of the projects mentioned in the series. Making mistakes is inevitable in such rapidly changing environments like DeFi & Web3. However, we should make the most of these expensive lessons and try not to repeat the same mistakes. The goal of this mini-series is to spread awareness about potential attack vectors and share safety rules that would have protected the victim protocols and showcase that, at RedStone, we follow market events and adjust our infrastructure accordingly.

This episode describes one of the most recent oracle manipulation cases, executed in April 2022. The targeted protocol is Inverse Finance — a ‘decentralised bank’ providing numerous DeFi services such as collateralised lending. Let’s dive in!

Description of the attack

A professionally executed hack allowed an anonymous actor to manipulate the price of $INV and help themselves to an exclusive deal from the ETH-based lending protocol. They were able to submit collateral in the flash-pumped asset and receive a loan in other tokens worth orders of magnitude more than the fair price of the collateral.

How exactly did it go? Let’s break it down together with @bertcmiller, who specified the following steps in his post-mortem analysis:

  • Hacker withdraws 901 Eth from Tornado Cash.
  • Using Disperse.app, the hacker transfers 1.5 Eth to 241 clean addresses in order to deploy 5 different smart contracts.
  • Hacker swaps 500 eth to 1.7k INV through Sushi INV-WETH pool, increasing the INV price by approximately x50 due to low liquidity.
  • Hacker begins sending numerous malicious transactions to Inverse Finance to be the first to get into the next block.
  • The Inverse Finance ends up using SushiSwap TWAP as a (single) oracle. The price returned by the oracle is extremely inflated.
  • Finally, the hacker manages to deposit 1.7k INV as collateral (at $644k fair price) and borrow $15.6M in the form of 1588 ETH, 94 WBTC, 4M DOLA, 39.3 YFI.

The precision of execution, the plan’s structure, and extensive knowledge of blockchain quirks demonstrate that the actors behind this exploit were no amateurs.
One of the most MEV aware hacks I’ve seen as @bertcmiller put it.

A deeper dive into the details amplifies the unique nature of this hack:

  • The attacker managed to hold an oracle’s price at an insane level across multiple blocks.
  • The transaction to manipulate the oracle price was submitted in block N (14506358) as a bundle (transactions sent directly to miners, without going through the mempool) so arbitrage bots didn’t see it in the mempool and couldn’t bring the price for block N back in line.
  • In block N+1 the price was arbitraged back. However, the oracle still used the price from block N.
  • The attacker spammed the Inverse Finance contract to make sure the exploit was also executed in the block N+1 at N block price.

It is important to mention that such an attack is not risk-free for the attacker. This particular attack involved the initial injection of 901 ETH ($2.7M at that time) in order to manipulate the price. This deposit may have been lost if something went wrong along the way. The development of the technology behind oracles, especially in attack prevention, is crucial as it significantly increases the risk, driving down the expected return of such a procedure. The end goal is to make the viability negative. This means that such an attack would become economically irrational.

The cause of the malfunction

Using a single price oracle based on a relatively low liquidity pool of assets.

Lessons learned

If Inverse Finance hadn’t used a single price oracle, the attack would have been significantly more difficult and the capital requirements, in order to execute it, would have made it too risky to begin with. The protocols should always opt for multiple data sources while using oracles.

At RedStone we are on a mission to build the next generation of Oracles. Our solution has an unrivaled ability to exert significant control over any new data listings. Result? The flexibility to follow any emerging market trends, alongside substantial cost savings, allows us to stay at the frontier of a new wave of Decentralised Finance.

Join us on the journey!

Twitter | Discord | Website | Github | Linkedin