No user funds are affected by the exploit, however Inverse Finance has incurred a debt and offered the aggressor a bounty to return the stolen funds.
Just two months after losing $15.6 million in a value oracle manipulation exploit, Inverse Finance has once more been hit with a flashloan exploit that saw the attackers make off with $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC).
Inverse Finance is an Ethereum based localized finance (DeFi) protocol and a flashloan is a variety of crypto loan that's sometimes borrowed and came back inside one transaction. Oracles report outside pricing info.
The latest exploit worked by using a flashloan to govern the worth oracle for a liquidity supplier (LP) token used by the protocol’s market application. This allowed the attacker to borrow a bigger quantity of the protocol’s stablecoin DOLA than the number of collateral they posted, letting them pocket the difference.
The attack comes simply over 2 months after the same April a pair of exploit that saw attackers by artificial means manipulate collateralized token costs through a value oracle to drain funds using the inflated costs.
In response to the attack, Inverse Finance temporarily paused borrowing and removed its DOLA stablecoin from the money market while it investigated the incident, saying no user funds were at risk.
It later confirmed that only the attacker's deposited collateral was affected in the incident and solely incurred a debt to itself due to the taken DOLA. It inspired the attacker to come back the funds in return for a “generous bounty”.
( Jesse Coghlan, Cointelegraph, 2022 )