Back to blog

Inverse Finance exploit: $1.2 million lost in a flash loan attack

By:

loading

SCORECHAIN

Date: June 21st 2022

Published on: Global News

Tags:

Crypto Compliance, Cryptocurrency, DeFi, Flash loan attack, hack, RiskAML,

Inverse Finance exploit: $1.2 million lost in a flash loan attack

Inverse Finance has once fallen victim to an exploit. On Thursday, the DeFi protocol lost $1.2 million after suffering a flash loan attack.

Inverse Finance suffers two exploits within just two months

Inverse Finance is a decentralized DeFi protocol with a total value locked of $11.08 million. On June 16th, the company announced losing $5+ million in an exploit. The attacker however managed to run off with only $1.2 million.

More specifically, on June 16th the attacker manipulated the oracle price of the protocol’s Frontier money market through a flash loan. A flash loan in DeFi allows users to borrow crypto funds, use them and repay them in a single transaction. However, flash loans have become a common way to perpetrate DeFi hacks. For example, Cream Finance, Beanstalk, and Deus DAO protocols have all been hit by this type of attack.

On April 2nd, someone already exploited Inverse Finance through a price manipulation attack resulting in the loss of $15.6 million.

Where are the funds related to Inverse Finance exploit?

First, the Inverse Finance attacker funded the exploit address through Tornado Cash minutes before the attack. The attacker transferred 0.98 ETH worth around $1,200 to make the flash loan.

Screenshot of Scorechain's platform showing the details about the transaction that was used to fund the Inverse Finance exploit address
Details about the transaction that was used to fund the address

Then, the attacker managed to steal 53.24 WBTC and 99,976.29 USDT amounting to a total loss of $1.2+ million.

Screenshot of Scorechain's platform showing the amount of WBTC stolen during the exploit
Amount of WBTC stolen from Inverse Finance
Screenshot of Scorechain's platform showing the amount of USDT stolen during the exploit
Amount of USDT stolen from Inverse Finance

The stolen WBTC and USDT have been quickly swapped to ETH on Uniswap decentralized exchange (DEX). On our Investigation Tool, we can see for example that the attacker sent 53.24 WBTC, corresponding to the amount stolen, to Uniswap and swapped it for 983 ETH. The tool accordingly flagged the transaction as a DEX trade.

Screenshot of Scorechain's Investigation Tool showing the swaps details
Swaps details on Scorechain’s Investigation Tool

Finally, the attacker sent 1,000 ETH to the Tornado Cash mixing service in batches of 100 ETH. The attacker used Tornado Cash to mix the tainted coins with other funds and obfuscate the trail of the funds.

Screenshot of Scorechain's Investigation Tool showing the transactions to Tornado Cash
Details of transactions sent to Tornado Cash on Scorechain’s Investigation Tool

For now, the Inverse Finance exploit address still has a balance of 68.46 ETH worth around $75,000 as shown below. We will keep on monitoring the funds related to the exploit.

Screenshot of Scorechain's platform showing the balance of Inverse Finance exploit address
Balance of Inverse Finance exploit on Scorechain’s interface

How to prevent exposure to illicit funds?

Governments all over the world are regulating crypto-assets to prevent the unlawful use of crypto-assets such as money laundering. Companies onboarding crypto-assets should therefore ensure they have all the necessary tools and processes in place to avoid the facilitation of illicit crypto funds and mitigate their exposure to money laundering risks.

Scorechain’s blockchain analytics solution can help compliance officers mitigate such risks and adopt a risk-based approach to crypto transaction monitoring. Our solution deanonymizes blockchain data and red flags on high-risk activities such as scams, hacks, dark web, etc. helping customers promptly identify illicit funds and report them to authorities if necessary.

Would you like to discover how you can leverage blockchain analytics to reduce unnecessary exposure to risks? Don’t hesitate to request a demo.

Request a demo

About Scorechain

Scorechain is a Risk-AML software provider for cryptocurrencies and digital assets. As a leader in crypto compliance, the Luxembourgish company has helped more than 200 customers in 45 countries since 2015, ranging from cryptocurrency businesses to financial institutions with crypto trading, custody branch, digital assets, customers onboarding, audit and law firms, and some LEAs.

Scorechain solution supports Bitcoin analytics with Lightning Network detection, Ethereum analytics with all ERC20 tokens and stablecoins, Litecoin, Bitcoin Cash, Dash, XRP Ledger, Tezos, Tron with TRC10 and TRC20 tokens, and BSC with BEP20 tokens. The software can de-anonymize the Blockchain data and connect with sanction lists to provide risk scoring on digital assets, transactions, addresses, and entities. The risk assessment methodology applied by Scorechain has been verified and can be fully customizable to fit all jurisdictions. 300+ risk-AML scenarios are provided to its customers with a wide range of risk indicators so businesses under the scope of the crypto regulation can report suspicious activity to authorities with enhanced due diligence.