DeFi faces embattled? About $15 million stolen from Inverse Finance

On April 2, 2022, the public opinion monitoring of Chengdu LianAn Chain Bing-Blockchain Security Situational Awareness Platform showed that the Inverse Finance project was attacked, and the cumulative loss was estimated to be about 15 million US dollars . The Chengdu Lian’an technical team conducted a relevant analysis on this incident for the first time.

1 The analysis is as follows

Attack address 1:

0x117c0391b3483e32aa665b5ecb2cc539669ea7e9

Attack address 2:

0x8b4c1083cd6aef062298e1fa900df9832c8351b3

Attack transaction hash:

0x20a6dcff06a791a7f8be9f423053ce8caee3f9eecc31df32445fc98d4ccd8365

0x600373f67521324c8068cfd025f121a0843d57ec813411661b07edc5ff781842

Attack contract:

0xea0c959bbb7476ddd6cd4204bdee82b790aa1562

First, the attacker withdraws 900 ETH from Tornado.Cash to prepare for the increase in the price of the INV token.

DeFi faces embattled? About  million stolen from Inverse Finance

The attacker used 300 ETH to exchange for 374 INV tokens, and then exchanged 200 ETH for 1372 INV tokens, a total of 1746 INV tokens. It can be found here that the first pool only exchanged 374 INV tokens with 300 ETH. INV, but 200 ETH was exchanged for 1372 INV tokens later, the INV price in the first pool WETH/INV has been significantly raised.

DeFi faces embattled? About  million stolen from Inverse Finance

When calculating the Xinv token price, rely on the pair WETH/INV (0x328dfd0139e26cb0fef7b0742b49b0fe4325f821) to calculate. Because the pair pool has been manipulated, and the timeElapsed interval is short, the attacker needs to be able to use the manipulated price if it is not called in the current block, and then manipulate the value of the xINV token.

It can be seen that when the attack manipulates the pair, it keeps sending mint transactions to ensure that it can maximize the use of the time window. At the same time, the attacker cleverly avoided the price-manipulating block (14506358) to mint, otherwise he would use the previous block of the price-manipulating block to calculate the price.

DeFi faces embattled? About  million stolen from Inverse Finance

DeFi faces embattled? About  million stolen from Inverse Finance

DeFi faces embattled? About  million stolen from Inverse Finance

DeFi faces embattled? About  million stolen from Inverse Finance

Then the attacker directly mint all the 1746 INV tokens he held (here, it is regarded as a mortgage), in exchange for 1156 xINV tokens (LP tokens), and then relied on the held xINV to lend a large amount of tokens.

DeFi faces embattled? About  million stolen from Inverse Finance

The cumulative loss of the Inverse finance project party is estimated to be approximately US$15 million.

Here, Chengdu Lianan recommends the project party to use a sufficiently long time window. For example, you can refer to the following Uniswap sample code, timeElapsed must be greater than 24 hours.

DeFi faces embattled? About  million stolen from Inverse Finance

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/defi-faces-embattled-about-15-million-stolen-from-inverse-finance/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-04-02 23:17
Next 2022-04-02 23:18

Related articles