Inverse Finance snatched for $1.2m via flash loan attack • The Register
A Decentralized Autonomous Organization (DAO) called Inverse Finance has had an exchangeable cryptocurrency stolen for $1.2 million, just two months after it was taken for $15.6 million.
“Inverse Finance’s Frontier money market has been the subject of a oracle price manipulation incident which resulted in a net loss of $5.83 million in DOLA with the striker earning a total of $1.2 million,” the organization said Thursday in a post attributed to its chief growth officer “Patb.”
And Inverse Finance would like to recover its funds. Listing the actions the DAO intends to take in response to the incident, Patb said: “First, we encourage the person(s) behind this incident to return the funds to the DAO Inverse Finance in exchange for a generous bonus.”
This seems unlikely given that the attacker funneled the funds via Tornado Cash, a cryptocurrency mixing or toggling protocol designed to hide the source of funds. Coincidentally, the service is popular for money laundering.
The net loss of $5.83 million represents funds borrowed by the attacker from the DAO to carry out the attack. Inverse Finance therefore views it as a bad debt rather than funds that need to be refunded to an individual.
The DAO, based by Nour Haridy in 2020, doesn’t provide much detail about these things running, if anyone can be said to be running things in a “decentralized autonomous organization”.
Inverse Finance hit the headlines in April after being exploited for $15.6 million.
The register reached out to people associated with Inverse Finance via Twitter and Discord in hopes of asking a few questions.
We managed to reach Patb via Discord. Here’s how the conversation went (with minor edits for proper capitalization and readability):
ElReg: Is Inverse Finance really an incorporated business anywhere? Or just a group of people?
patb: Not incorporated – a DAO. Can you share a bit of context on what you write?
ElReg: Working on a story about the recent $1.2 million hack. So how do DAOs work from a legal standpoint? If disgruntled investors want to sue someone, do they name the principals individually? And do you know if the hack was the result of a bug in your smart contract code? Or was it the result of code created by others?
patb: Not our smart contract code.
ElReg: Can you elaborate? Do you have any idea how the bug appeared? Also, how come the team members aren’t fully named other than Nour? It seems that including this type of information would help build trust. I would not want to invest funds in an entity with no fixed address and few identified principals.
At that point, the conversation stopped for 18 minutes. Patb eventually responded with a link to the Inverse Finance post quoted above. Another question remained unanswered at the time this story was filed.
Patb’s blog post provides details of what happened, but these are rather difficult to decipher for those not steeped in cryptocurrency lingo:
Basically, the attacker used a flash loan – a loan taken out and immediately repaid – to trick the protocol and obtain control of the assets.
According to Patb’s post, Inverse Finance is “adding additional security operations talent to the Inverse team.” This follows “a competent third-party team to review the architecture and implementation of the oracle involved in today’s incident” and post-April incident input and guidance.
If you still don’t know what a DAO is or why someone would invest money in such a thing, you might find some kind of answer on Investopediaamong other resources for deciphering the deliberately obtuse terminology of the cryptocurrency world.
Here’s a salient passage: “The developers of the DAO believed they could eliminate human error or manipulation of investor funds by placing decision-making power in the hands of an automated system and participatory process.”
Let it sink in. Maybe even read it a second time.
As for Inverse Finance, at least the thief didn’t run away with the company’s optimism.
“We are also taking immediate action to incentivize additional liquidity in the DOLA-3POOL,” Patb’s message concludes. “More information on this will be available soon.” ®