April 03, 2022

The Analysis of Inverse Finance’s Price Manipulation Attack: The Hacker Profited About $15M

Beosin Alert — The Blockchain Security Situation Awareness Platform reported on April 2 that Inverse finance has suffered an oracle price manipulation attack. The attacker manipulated INV token prices and managed to profit about $15M. Check the following for our full analysis:

Exploiter 1:0x117c0391b3483e32aa665b5ecb2cc539669ea7e9

Exploiter 2:0x8b4c1083cd6aef062298e1fa900df9832c8351b3

Attack tx:



Attack contract:


The attacker first withdrew 900 ETH from Tornado.Cash in preparation for raising the price of INV tokens.

The attacker used 300 ETH to swap for 374 INV tokens, and then swapped 200 ETH for 1372 INV tokens, totaling 1746 INV tokens. Here we can find that the first pool 300 ETH can be exchanged to only 374 INV, while the later 200 ETH is swapped for 1372 INV tokens, and the price of INV in the first pool WETH/INV has been obviously pulled up.

When calculating the price of the xINV token, it relies on the pair WETH/INV (0x328dfd0139e26cb0fef7b0742b49b0fe4325f821) to calculate. As the pair the pool has been already manipulated, coupled with the short timeElapsed interval, then the attacker can take advantage of the manipulated price as long as not calling in the current block, so as to manipulate the price of xINV tokens.

It can be seen that when the attacker manipulates the pair, it keeps sending mint transactions to ensure that it can maximize the use of the time interval. At the same time, the attacker cleverly avoids the manipulated price block (14506358) to mint, otherwise it will use the front block of the manipulated price block to calculate the price.

The attacker then directly minted all 1746 INV tokens held by himself (considered as collateral here) in exchange for 1156 xINV tokens (LP tokens), and then used the held xINV to borrow a large amount of tokens.

The total losses for Inverse finance is estimated to be 15 million USD.

Beosin’s Recommendation:

It is recommended that project owners use a long enough time interval. For example, as shown in the following Uniswap sample code, timeElapsed must be greater than 24hours or more.

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin: 10 Ways to Teach You How to Guard the NFT Assets

    April 08, 2022

  • Beosin’s Recommendation for Tracing Jay Chou’s Stolen NFT Worth Over $1M

    April 02, 2022

  • Losses Exceeds $1M. Jay Chou’s Bored Ape NFT Got Stolen by a Discord Phishing Attack

    April 02, 2022

  • Monthly Recap — Over 30 Blockchain Security Incidents Occurred in March

    April 02, 2022

Join the community to discuss.