Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Flash Loan Attack. Show all posts

Hackers Target Inverse Finance in a Flash Loan Oracle Attack

 

Inverse Finance, a decentralized autonomous organization (DAO) has suffered a flash loan assault, where hackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). This comes just two months after the Defi exchange witnessed an exploit where the hackers siphoned $15.6 million in a price oracle manipulation exploit. 

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said. 

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol that facilitates the borrowing and lending of cryptos. The latest exploit worked by employing a flash loan attack where hackers take a flash loan from a Defi platform. Subsequently, they pay it back in the same transaction, causing the price of the crypto asset to surge and then quickly withdraw their investments. 

Upon discovering the attack, the defi protocol temporarily paused borrowing and took down DOLA stablecoin from the money market saying that it is investigating the incident, while no user funds were at risk. 

It later confirmed that only the hacker’s deposited collateral was impacted in the incident. In a tweet, the company requested the attackers to return the funds in return for a “generous bounty”. 

The hacker in total secured 99,976 USDT and 53.2 WBTC from the attacks. As soon as the hack was successful, the attackers routed the funds via Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.

It should be noted that the significant rise in Defi which facilitates crypto-denominated lending outside traditional banking, has been a major factor in the increase in stolen funds and frauds. Threat actors have targeted DeFis the most, in yet another warning for those dabbling in this emerging segment of the crypto industry.

“DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike,” as per a report by Chainalysis. 

Last year, more stolen funds flowed to DeFi platforms (51 percent) and centralized exchanges received less than 15 percent of the total stolen funds, Chainalysis wrote in its annual Crypto Crime report. “This is likely due to exchanges’ embrace of AML and KYC processes, which threaten the anonymity of cybercriminals,” the report added.

Cybercriminal Steals $13 Million In DEUS Finance Exploit

 

The decentralized derivatives protocol based on Fantom, DEUS Finance suffered a flash loan attack on Thursday, with the attacker making off with about $13.4 million. 

According to on-chain data, the anonymous hacker carried out the assault using a flash loan at around 2:40 AM UTC. Flash loan assaults involve attackers borrowing funds with a requirement that the borrowed sum be returned in the same transaction. These are made possible with smart contracts. While flash loans are meant for arbitrage trading and enhancing capital efficiency, attackers have abused them to manipulate DeFi price data feeds — known as oracles — and carry out attacks. 

The Deus hacker took a flash loan to manipulate the price oracle within one of its liquidity pools on Fantom, involving a token called DEI paired against the USDC stablecoin, security analysts at PeckShield explained in a post. The flash-loan assisted manipulation surged DEI's price and the inflated value was then used as collateral to borrow additional capital, within the same flash loan transaction.

This additional borrowed capital was sold for USDC stablecoin, after which the hacker repaid the flash loan — netting about $13.4 million. The perpetrator then transferred the exploited funds from Fantom to Ethereum, where they routed them via Tornado Cash, a mixing protocol used to obfuscate Ethereum transactions. This wasn't the first security incident for Deus Finance. 

Last month, the protocol lost $3 million to a flash loan exploit. The community was disappointed that the protocol had been hacked again in the same way. While the community waits for an official reaction, calls have been made to Circle to freeze the $USDC implicated in the incident. Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. 

Earlier this month, hackers stole $11.2 million worth of Binance Coin from the DeFi platform Elephant Money. Cream Finance was hit with three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February, and another $29 million in August. 

Last year, hackers stole at least $2.2 billion from DeFi protocols, Blockchain analysis firm Chainalysis said. Earlier this year in March, the Ronin Network announced that hackers stole more than $500 million worth of cryptocurrency, making it one of the largest attacks ever.