What Happened
On Saturday (April 2nd) the Keep3r TWAP oracle for INV was manipulated using a capital-intensive manipulation of the INV/WETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, and YFI. The manipulation was not a flash loan attack and was not related to Inverse’s smart contract or front end code, but rather an error in the TWAP oracle sampling method.
Details of the Price Manipulation
(h/t https://twitter.com/peckshield )
At approx. 08:00 EDT on April 2, 2022 attacker withdrew 901 ETH from Tornado Cash and made a series of trades primarily in the INV/DOLA pool on SushiSwap. This pool maintained relatively light liquidity compared to INV liquidity, for example, on Coinbase.
2. TWAP window size bug in the INV-DOLA amTWAP oracle led to a temporary surge in the price of INV to $20,926
3. The attacker staked newly acquired (and temporarily mis-priced) INV on Anchor as collateral, borrowed 1,588 ETH, 94 WBTC, 4MM DOLA, and 39 YFI. The attacker transferred the borrowed funds to a new wallet. After the INV price was corrected, the attacker’s INV collateral was liquidated.
4. The attacker used a series of spam transactions to hide the true attack which removed on-chain arbitrage opportunities that would normally occur. Similarly, no arbitrage occurred between CEXs like Coinbase and DEXs like SushiSwap.
5. More details of the mechanics of the TWAP manipulation
https://twitter.com/x/status/1510243383507361797:
Who Is Affected
Stakers of WBTC, ETH, YFI and DOLA on Anchor may have been affected. The attackers borrowed those assets against the artificially inflated INV they had staked and collateralized.
Objectives For How Inverse Finance DAO Will Respond
Our path forward has three simple objectives:
Ensure all wallets affected by the incident are made whole/repaid 100%
Fiercely defend DOLA’s USD peg
Avoid use of the INV governance token as a means for repayment
Initial Steps Towards Making Good On Our Objectives
The first action was taken yesterday in order to prevent any further incidents when we temporarily paused borrowing on Anchor. Anchor’s borrow markets will remain paused until revised INV oracle code can be reviewed, tested and deployed. This may require several days.
Our next priority is to aggressively boost DOLA liquidity on Curve. To date we have mostly stayed out of the so-called “Curve Wars”, viewing them as a short term substitute compared to a more practical long-term organic demand generation. In light of our need to make users affected by yesterday’s incident whole, our need for additional DOLA leads us to invest more aggressively in increasing DOLA liquidity on Curve. This will in part be funded by re-allocating INV tokens currently allocated to Anchor rewards elsewhere (e.g. rewards for staking WBTC); however reward rates on Anchor for xINV staking and select other tokens like DOLA 3POOL will continue or, in the case of xINV rewards, are likely to increase substantially.
We are continuing to model additional alternatives for accelerating this make-good for our users with more details to follow in the coming days and weeks. For now, our move to deepen liquidity is our top priority and more details on our exact strategy will also be made transparent in the coming days as well.
Timing
If you were affected by this incident, our goal is to ensure that you are made whole as soon as possible. At this date, we are still working through our options and there is no hard date for the completion of this process, but we believe the time frame will be measured in weeks or a few months.
Additional Comments
The price manipulation incident was carried out against the INV-ETH amTWAP oracle, not against DOLA. The DOLA peg was well-maintained throughout the weekend and we will continue to fiercely defend DOLA’s USD peg.
The person(s) behind the incident are encouraged to reach out to facilitate a return of the borrowed funds in exchange for a generous bounty. We are also inviting members of the community with experience in forensics to join our investigation of the incident.
Next Steps
If you were affected by the incident, please visit the #missioncontrol channel in the Inverse Discord server http://discord.gg/InverseFinance and feel free to ask any questions to our moderators.
We will continue to update the Inverse Finance community regularly throughout the week.
We are truly grateful to all our community members, strategic partners, and other new friends we’ve met over the past 48 hours who have joined forces with us and worked so hard in our response!
Disclaimer: This content is for informational purposes only and should not be construed as legal, tax, investment, financial, or other advice.