TL:DR
In light of last week’s Inverse Finance exploit we thought it worth taking a look at the one earlier this year. By comparison, the April attack was 12 times costlier than the second attack which netted the attacker "only" ~$1.2M.
On Apr-02-2022 11:04:09 AM +UTC, Inverse Finance, which enables users to borrow assets against their tokens, was exploited, leading to ~$14.5M worth of asset loss.
The root cause of the attack was price manipulation of the ‘external price oracle’ dependency. The attacker purchased INV tokens then through the price manipulation then inflated the price of INV. This allowed them to borrow 1588 ETH, 94 WBTC, 3999_669 DOLA and 39 YFI (~14.5M), considerably more than their INV was worth.
Event Summary
On Apr-02-2022 11:04:09 AM +UTC, Inverse Finance, which enables users to borrow assets against their tokens, was exploited, leading to ~$14.5M worth of asset loss.
Inverse Finance is a suite of permission-less decentralized finance tools governed by Inverse DAO, a decentralized autonomous organization running on the Ethereum blockchain.
The main Inverse Finance products are Anchor and DOLA stablecoin
-
Anchor is a money market and synthetic asset protocol enabling capital efficient borrowing & lending
-
DOLA is a stablecoin token that tracks the price of $1. DOLA can be minted by using other assets on Anchor as collateral and can also be used itself as collateral to borrow other assets on Anchor
-
INV Token A governance token with the additional functionality to be used as a collateral asset in anchor
Inverse Finance is governed and run by its community of token holders (numbering over 2000 holders) and elected delegates.
The INV-ETH pair contained 432 INV and 46 ETH. The attacker started out by swapping 300 ETH for 374 INV on SushiSwap leaving 57.7 INV and 346 ETH in liquidity. This significantly increases the INV price.
The attacker then swaps 200 ETH for 690,203 DOLA using Curve.fi and immediately swaps the 690,203 DOLA for 1,372 INV on SushiSwap. The INV tokens are then deposited in order to mint 1,746 XINV tokens. The price of XINV is based on the price of INV from SushiSwap which is now hugely inflated. This allows the attacker to borrow 1588 ETH, 94 WBTC, 3999_669 DOLA and 39 YFI against 1,746 INV.
Attack Technical Analysis
Preparation stage:
Attacker deploys a malicious contract 0xea0c9 to launch the attack.
Attacker makes swaps in SushiSwap/Curve.fi to manipulate the price of INV / XINV in this TXN
Swap 300 ETH for 374 INV in SushiSwap
Swap 200 ETH for 690,307 USDC in SushiSwap
Swap 690,307 USDC for 690,203 DOLA in Curve.fi
Swap 690,203 DOLA for 1,372 INV in SushiSwap
As the liquidity in SushiSwap:INV (INV-ETH Pair) was very low, swapping 300 ETH for INV significantly increases the INV price.
Before the swap, there is 432 INV and 46 ETH in liquidity.
After the swap, there is 57.7 INV and 346 ETH in liquidity.
Attack Stage:
-
The attacker deposits INV obtained in the preparation stage and mints 1746 XINV tokens.
-
The price of XINV is calculated based on the price of INV from SushiSwap:INV pair. As mentioned above, the price of INV was manipulated and results in each XINV being worth $20926.
- With the increase in the price of XINV, the attacker was able to borrow assets with the minted XINV tokens.
The borrowed assets include 1588 ETH, 94 WBTC, 3999_669 DOLA and 39 YFI.
For example, the manipulated price of XINV was used when the attacker was borrowing DOLA.
Contract Vulnerability Analysis
The vulnerability stems from the price oracle dependency, which applies the TWAP with a 30-min time window. However, only 15 seconds have passed when the attacking transaction occurred, after the preparation stage.
In this case, the check ‘timeElapsed > periodSize` in the function _update() of the oracle contract Keep3rV2Oracle will be bypassed because the timeElapsed == 15. That means the last observed cumulative price has not been updated.
The amoutOut in the function _computeAmountOut() will be larger than expected amount, as the priceCumulative has been manipulated, but the _observation.priceCumulative has not been updated.
The price of XINV relies on the reserves in the SushiSwap:INV pair (INV-ETH Pair), which had very low liquidity. An advantage of setting up this was is TWAP can prevent flash loan attacks.
In this particular price oracle design, the current price (from the reserves) should not be used to compute the amoutOut if the timeElapsed has not been over 30 mins.
Profit and Assets Tracing
The borrowed assets include 1588 ETH, 94 WBTC, 3999_669 DOLA and 39 YFI which equated to approximately $14.5M. The assets were sold and 42 transactions of 100 ETH were sent to Tornado Cash.
Would we spot the issue during the audit?
Our audits would detect that the price is reliant upon a price Oracle. The contract employs TWAP which can prevent flash loan attacks. The attacker circumvented this by using 500 ETH of their own funds, thereby avoiding the use of a flash loan.
