The Analysis of Inverse Finance’s Price Manipulation Attack: The Hacker Profited About $15M

Beosin Alert — The Blockchain Security Situation Awareness Platform reported on April 2 that Inverse finance has suffered an oracle price manipulation attack. The attacker manipulated INV token prices and managed to profit about $15M. Check the following for our full analysis:

Exploiter 1:0x117c0391b3483e32aa665b5ecb2cc539669ea7e9

Exploiter 2:0x8b4c1083cd6aef062298e1fa900df9832c8351b3

Attack tx:

0x20a6dcff06a791a7f8be9f423053ce8caee3f9eecc31df32445fc98d4ccd8365
0x600373f67521324c8068cfd025f121a0843d57ec813411661b07edc5ff781842

Attack contract:

0xea0c959bbb7476ddd6cd4204bdee82b790aa1562

The attacker first withdrew 900 ETH from Tornado.Cash in preparation for raising the price of INV tokens.

The attacker used 300 ETH to swap for 374 INV tokens, and then swapped 200 ETH for 1372 INV tokens, totaling 1746 INV tokens. Here we can find that the first pool 300 ETH can be exchanged to only 374 INV, while the later 200 ETH is swapped for 1372 INV tokens, and the price of INV in the first pool WETH/INV has been obviously pulled up.

When calculating the price of the xINV token, it relies on the pair WETH/INV (0x328dfd0139e26cb0fef7b0742b49b0fe4325f821) to calculate. As the pair the pool has been already manipulated, coupled with the short timeElapsed interval, then the attacker can take advantage of the manipulated price as long as not calling in the current block, so as to manipulate the price of xINV tokens.

It can be seen that when the attacker manipulates the pair, it keeps sending mint transactions to ensure that it can maximize the use of the time interval. At the same time, the attacker cleverly avoids the manipulated price block (14506358) to mint, otherwise it will use the front block of the manipulated price block to calculate the price.

The attacker then directly minted all 1746 INV tokens held by himself (considered as collateral here) in exchange for 1156 xINV tokens (LP tokens), and then used the held xINV to borrow a large amount of tokens.

The total losses for Inverse finance is estimated to be 15 million USD.

Beosin’s Recommendation:

It is recommended that project owners use a long enough time interval. For example, as shown in the following Uniswap sample code, timeElapsed must be greater than 24hours or more.

Contact US

Website: https://beosin.com/

Email:contact@beosin.com

Twitter: https://twitter.com/Beosin_com

Telegram: https://t.me/beosin

Medium:https://medium.com/@Beosin

Github: https://github.com/Beosin20180329

Discord: https://discord.com/invite/B4QJxhStV4

Subscribe to Beosin
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.