Inverse Finance stung for $1.2 million via flash loan attack

From The Register, with thanks

Cryptocurrency-related matters only

Inverse Finance, a decentralized autonomous organization (DAO), was robbed of cryptocurrency worth $1.2 million just two months after it was robbed of $15.6 million.

Oracle price manipulation led to a net loss of $5.83 million in DOLA for Inverse Finance’s Frontier money market, with the attacker pocketing a total of $1.2 million, the company said in a Thursday post attributed to its Head of Growth “Patb.”

Inverse Finance, meanwhile, wants its money. “First and foremost, we urge the perpetrator(s) of this act to return the funds to Inverse Finance DAO in exchange for a generous bounty,” Patb said when asked about the DAO’s plans in response to the incident.

Making Use of the Results of Research (e.g. Cadillac)

A Tornado Cash-based cryptocurrency mixing and tumbling protocol would make this unlikely, given the attacker’s alleged use of it. In a strange twist of fate, the service is also popular for laundering money.

The attacker borrowed $5.83 million from the DAO to carry out the attack, resulting in a net loss of $5.83 million. Rather than funds owed to a specific person, Inverse Finance treats it as bad debt.

A “decentralized autonomous organization” (DAO) created by Nour Haridy in 2020 doesn’t provide much information about its leaders.

Inverse Finance made headlines in April after a $15.6 million Ponzi scheme.

A few questions were posed to those involved with Inverse Finance via Twitter and Discord.

We were able to connect with Patb through Discord. The following is a transcript of our conversation, with minor edits for readability and proper capitalization:

ElReg: Is Inverse Finance, Inc. a legal business entity? Is it an individual or a group?

Patb: A DAO is not incorporated into the company. I’d like to know a little more about what you’re working on.

ElReg: I’m researching the recent $1.2 million hack. So, from a legal standpoint, how do DAOs work? Does a lawsuit against a company’s principals name each of the company’s directors and officers by name? Moreover, do you know if your smart contract code had a flaw that led to the hack? It could also have been a result of other people’s code.

We don’t use that language here at Patb.

ElReg: I’d like to know more about this. Do you know how this bug got started? Aside from Nour, why aren’t the others on the team properly identified? Including that kind of information would appear to be a good way to build trust. I’m not going to put money into a company with no physical location and only a few people I can identify as the owners.

For the next 18 minutes, no one said anything. Eventually, Patb replied with a link to the aforementioned Inverse Finance post. When this story was filed, there was still an unanswered question.

To understand Patb’s blog post, one must have a working knowledge of cryptocurrency jargon, which can be a challenge for those who aren’t.

For the most part, the attacker used a flash loan to trick the protocol and seize control of the assets.

It is stated in Patb’s post that Inverse Finance is “increasing its security operations staff” An independent team was formed to look into the oracle’s architecture and implementation, which was subsequently involved in April’s incident.

Even if you’re still unsure about what a DAO is or why anyone would invest in such a thing, Investopedia and other encyclopedias can help you sort through cryptocurrency’s cryptic lingo.

“The DAO developers believed they could eliminate human error or manipulation of investor funds by placing decision-making power in the hands of an automated system and a crowdsourced process,” says one key passage.

Wait for it to sink in. Reading it a second time may be necessary.

At least the venture’s optimism wasn’t stolen from Inverse Finance.

Finally, Patb concludes his post by stating that “We are also taking immediate steps to incentivize additional liquidity within the DOLA-3POOL.” “We’ll have more to say about this in the near future.” ®