DeFi Protocol Inverse Finance Exploited for $1.2M

Ethereum-based decentralized finance (DeFi) tool Inverse Finance was exploited for more than $1.2 million worth of cryptocurrency on Thursday morning, on-chain data appears to show.

Exploiters seemed to use a flash loan attack to trick the protocol and steal more than 53 bitcoin, worth $1.1 million, and 10,000 tether USDT$0.9998, a stablecoin backed on a 1-1 basis with U.S. dollars. The exploit comes just over two months after attackers stole $15 million worth of cryptocurrencies from Inverse Finance in a similar attack, as previously reported.

During European hours Thursday, Inverse Finance developers paused borrowing functions for users and said they were investigating the incident.

Flash loans are a DeFi-specific mechanism allowing users to borrow high amounts of capital on little collateral as long as the loan is paid back within the same transaction. They are generally used by traders, but bad actors may use flash loans to trick a protocol’s smart contract into manipulating prices on liquidity pools and take over that pool’s assets.

Blockchain data apparently shows the exploiters flash-borrowed some 27,000 wrapped bitcoin from lending protocol Aave to conduct the attack. The funds were routed through swap service Curve for various stablecoins before being used to remove DOLA, a stablecoin, from Inverse Finance pools.

An address tagged as “Inverse Finance Exploiter” on blockchain analysis tool Etherscan apparently sent 900 ether, worth $1 million, to privacy mixer Tornado Cash following the exploit, data shows.

Tornado Cash allows users to mask addresses and is sometimes employed by attackers to hide their stolen funds.