In June 2022, Inverse Finance suffered its second hack of the year.  This was another example of a price oracle manipulation exploit that resulted in losses of $5.8 million in tokens.

Inside the Attack

Price oracle manipulation attacks like this one take advantage of on-chain calculations of token values.  If a DeFi protocol calculates the value of a token on-chain, then an attacker can manipulate the perceived value of that token by making massive deposits and loans from the protocol.  With flashloans, anyone can take out massive loans with no collateral, providing the leverage needed to manipulate vulnerable protocols.

In this case, the vulnerable code existed in the project’s YVCrvCrypto pool.  The Inverse price oracle estimated the value of its LP token price based on the balance of current assets within the pool.  Since the attacker can manipulate this balance of assets through deposits, swaps, and trades, they can manipulate the value of the LP token.

In this case, the attacker took out a flashloan, deposited collateral into the pool and performed a swap to manipulate the perceived value of that collateral.  This allowed them to take out a much larger loan than they should have been able to.  After a few conversions, they were able to pay off their flashloan and make a tidy profit.

Lessons Learned From the Attack

Price oracle manipulation is probably the best-known attack against DeFi protocols.  This threat can be prevented by avoiding on-chain token price calculations and using a price oracle like Chainlink instead.  Despite being the victim of a similar hack in April, Inverse has not undergone a security audit, which might have identified and fixed this issue before it was exploited.

Explained: The Inverse Finance Hack (June 2022)
Rob Behnke