The Ethereum-based Inverse Finance (INV) protocol said it suffered an exploit that allowed an attacker to steal $15.6 million in cryptocurrency.
According to the announcement, the hacker hacked into the Anchor liquidity platform (ANC) and artificially manipulated token prices to be able to borrow against extremely low collateral.
According to analyst firm PeckShield, the attacker took advantage of a vulnerability in the Keep3r price oracle that Inverse uses to track token prices. The hacker tricked the oracle into thinking the INV token was overpriced, and then took out multimillion-dollar loans on Anchor, using the overpriced INV as collateral.
To carry out the attack, the attacker first withdrew 901 ETH (about $3 million) from Tornado Cash. The attacker then injected the funds into several trading pairs on the decentralized SushiSwap exchange, inflating the INV price for the Keep3r price oracle.
A PeckShield spokesperson said the attack was high-risk because the $3 million worth of cryptocurrency to defraud the price oracle would have been completely lost if the INV price had fallen to normal levels.
In total, the attacker managed to steal from 1,588 ETH, 94 WBTC, 39 YFI and 3,999,669 DOLA.
The developers of Inverse said that they plan to compensate all losses.