Inverse Finance Frontier (Anchor) Oracle Attack - April 2, 2022
Overview
Inverse Finance, an Ethereum-based lending protocol, suffered an exploit with an attacker netting $15.6 million worth of stolen cryptocurrency from its Anchor (Frontier) money market.
Attack Mechanism
The attacker withdrew 901 ETH (about $3 million) from Tornado Cash, then injected the funds into several trading pairs on the decentralized exchange SushiSwap — inflating the price of INV in the eyes of the Keep3r price oracle.
With the price of INV sufficiently high, the attacker took out INV-backed loans on Anchor, then exited before arbitrageurs brought the price of INV back down to normal levels.
Attack Vector / Steps
1. Withdrew 901 ETH (~$3M) from Tornado Cash to fund the attack
2. Pumped the INV/ETH SushiSwap pool with successive buys to manipulate the spot price used by the Keep3r time-weighted oracle
3. Once the on-chain TWAP read by Anchor's price feed was sufficiently inflated, deposited INV as collateral on Anchor (Frontier money market)
4. Borrowed against the manipulated value: 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA
5. Walked away as arbitrageurs corrected the SushiSwap price; Anchor was left with bad debt of $15.6M
Stolen Assets
• 1,588 ETH
• 94 WBTC
• 39 YFI
• 3,999,669 DOLA
Root Cause
Reliance on the Keep3r on-chain oracle which read prices from a thin SushiSwap INV/ETH pool. The TWAP could be moved with a few million dollars of capital because the pool depth was small relative to the protocol's borrowing limits.
Post-Mortem Response
• Inverse temporarily paused all borrowing on Anchor
• A representative for the protocol told CoinDesk it was working with Chainlink to build a new INV oracle
• Inverse announced a DAO proposal to ensure all wallets impacted by the price manipulation are repaid 100%
Sources