Arbitrage on blockchain staged again: Inverse Finance loses over $15M in oracle manipulation

Inverse Finance, which is a Decentralised Finance (DeFi) platform that facilitates borrowing and the lending of cryptos, suffered an attack due to price manipulation of Keep3r TWAP oracle machines, with a cumulative loss of $14.75 million on 2nd April 2022.

In recent years, with the exponential growth of the DeFi market, the Oracle, as an important part of the DeFi security, has been attacked frequently. However, the price of INV (the governance token of inverse Finance) has been manipulated, which is not a flash loan attack, nor has it anything to do with the smart contract or front-end code of Inverse Finance. but the time window used by the TWAP Oracle is unreasonable.

Another manifestation of price manipulation is arbitrage on the chain. After the rise of DeFi, blockchain networks such as Ethereum not only supported the transfer of transactions on the chain but also provided interactive scenarios for smart contracts such as staking, lending, derivatives, etc., which also increased the value that can be captured on the chain. The value extracted mainly through arbitrage and clearing MEV (maximum extractable value) is also growing rapidly. In particular, Flashbots launched the visual MEV product “MEV Explore V1” which clearly presents MEV to us.

Due to the intermittent trading behavior of the arbitrage robot on the chain, if the attacker manipulates the oracle machine and completes it in a block without the help of a flash loan, preventing MEV bots from front running becomes a problem that the attacker needs to consider.

On 26th January 2022, a hacker used a similar method to attack the Index Coop Pool of Rari, the lending platform. However, the hacker’s attack was “intercepted” by MeV bots and ended with a loss of 68 ETH.

Although the attacker prepared 241 batch addresses in advance, with 1.5 ETH paid for each address, this operation is not to launch DDoS attacks to prevent other roles (usually arbitrage robots) from arbitrage after detecting abnormal fluctuations in INV price but to ensure that the attack transactions can be packaged into the next block.

If the situation of MEV-bots arbitrage exists, his subsequent attacks may face double losses like the attackers of the Index Coop Pool.

Full Process Analysis

Background

Inverse Finance is a set of decentralized financial instruments without a license, which is managed by the decentralized autonomous organization Inverse Dao running on the Ethereum blockchain. The main products of inverse finance are anchor (loan) and Dola (stable currency).

According to the analysis of OKLink, the key to this attack is that although the price oracle got the TWAP price, the time slot is short, with only two adjacent values, which makes it possible to manipulate the TWAP oracle.

In addition, the liquidity of INV (INV-ETH pair) in Sushiswap is very low. Only 300 ETH (about US $103.5 million) is exchanged for INV, which can significantly increase the INV price. This also allows attackers to borrow US $14.75 million in assets (including 1588 ETHh, 94 WBTC, 4 million Dola, and 39 YFI) at INV Finance with 1746 INV (value of about $0.644 million) as collateral. After the INV price is corrected, the INV collateral of the attacker is cleared.

Address&List

Address 1: 0x117C0391B3483E32AA665b5ecb2Cc539669EA7E9

Address 2: 0x8B4C1083cd6Aef062298E1Fa900df9832c8351b3

Contract: 0xea0c959bbb7476ddd6cd4204bdee82b790aa1562

Batch Account Hash: 0x561e94c8040c82f8ec717a03e49923385ff6c9e11da641fbc518ac318e588984

INV transaction Hash: , Block 14506358:

0x20a6dcff06a791a7f8be9f423053ce8caee3f9eecc31df32445fc98d4ccd8365

Exploit Implementation Attack Hash, block 14506359:

0x600373f67521324c8068cfd025f121a0843d57ec813411661b07edc5ff781842

Oracle Contract: 0x39b1dF026010b5aEA781f90542EE19E900F2Db15

Process

1. The hacker extracted 901ETH from Tornado Cash and prepared a batch of accounts – sent 1.5 ETH (361.5 ETH in total) to 241 blank accounts as commissions through Dispose, and the transaction hash 0x561e

2. Deploy the attack contract 0xea0c. The hacker trades 300 ETH and 200 ETH into WETH, and uses 300 WETH (about US $1.035 million) in the INV-WETH pool of Sushiswap to buy 374 INV.

Initially, it had 46 WETH + 432 INV. After trading 374 INV with 300 ETH, the pool rose 346WETH + 58 INV, that is, the INV price rose from 0.106 WETH (about $366) to 5.966 WETH (about $20,583).

Subsequently, the hacker used DOLA3POOL3Crv&Sushiswap to trade 200 WETH (about $0.69 million) into 1372 INV. The price of this part of INV is 0.146 WETH ($504).

The hacker has sold 1746 INV in accumulative transactions, and the transaction hash 0x20a6

3. With the price of INV being modified, the hacker staked 1746 INV through Inverse Finance, and the current value of one INV was $20,583, thus lending a total of $14.75 million in assets, including 1,588 ETH (about $5.479 million), 94 WBTC (about $4.352 million), 4 million DOLA (about $4million), and 39 YFI (about $0.917 million)

 Analysis

The reason why hackers can successfully steal the $14.75 million assets of “Inverse Finance” is that although the price of the oracle machine adopts the TWAP price, the data is only two adjacent values.

First, let’s briefly introduce TWAP (Time Weighted Average Price). TWAP oracle is one of the decentralized oracle machines. It eliminates hackers’ manipulation of the price of oracle machine by means of time-weighted average prices (including eliminating flash loans), thus increasing the cost of hackers’ price manipulation.

In the case of this attack, the Keep3r TWAP price is linked in block 14506358. Hackers need to use the price in the next block to borrow excess assets at the manipulated price. Details are as follows: Oracle contract 0x39b1：

#4-6: in order to obtain the TWAP price, the value is manipulated, and the height of the block in the price manipulation transaction is 14506358.

#10-12: the attack transaction occurs at block height 14506359, so the logic is to obtain the price before manipulation.

#17: The calculation here is actually to calculate two adjacent prices to make the manipulated TWAP price work.

Batch Accounts

The hacker prepared 241 batch accounts in the transaction hash 0x561e. Each address paid 1.5 ETH as the gas fee, and these accounts started sending attack transactions before the price manipulation transactions (block height 14506358) occurred.

From the transaction history of the attack contract, it can be seen that the attack transaction has been sent at the block height of 14,506,357, and the price manipulation occurs at the next block 14,506,358, and the specific attack transaction occurs at the next block 14,506,359.

Hackers only use these accounts to ensure that the attack transaction can be concluded in the next block of price manipulation so that the manipulated price can play a role; However, it can not prevent other operators (generally MEV bots) from arbitrage when they hear that the INV price rises from 0.106 ETH to 5.966 ETH (selling INV will bring the price back to the normal value).

We analyze the 200 WETH in the second part of the price manipulation transaction. After selling DOLA from the curve transaction, hackers buy INV in the DOLA-INV pool of Sushiswap. The pool originally had 2188077 DOLA + 5734 INV (price: 382 DOLA/INV). After trading 690203 DOLA into 1372 INV, the pool became 2878280 DOLA+ 4362 INV (price: 660 DOLA/INV).

We have previously calculated that hackers raise the INV price from 0.106 WETH (about $366) to 5.966 WETH (about $20,583) in the WETH-INV pool, while in the DOLA-INV pool, it is 0.146 WETH ($504), which means that if MEV bots buy INV from this pool and then sell it to the WETH-INV pool, arbitrage can be realized, but the actual situation is that no MEV bots initiate arbitrage transactions.

On the other hand, the block height of price manipulation transactions is 14,506,358, only 199 transactions, and the use of gas is only 52.27%, so the purpose of 241 accounts to send transactions is not to fill the block to prevent other transactions.

In addition, WETH-INV trading was not frequent before price manipulation trading.

Similar Attacks With Different Results

On 26th January 2022, a hacker attacked the Index Coop Pool of Rari, a lending platform, similarly, but the attack failed.

Hackers bought BED worth 285 ETH (a synthetic asset composed of WETH, WBTC, and DPI), hoping to significantly raise the BEP price and affect the Uniswap V3 TWAP Oracle, and then mortgaged BED prepared in advance to lend other assets.

Since BED has little liquidity in other markets, theoretically the attack will succeed. However, hackers ignored that BED itself is a synthetic asset. In addition to the liquidity in the market, it can also use the corresponding equivalent asset mint.

So MEV bots launched a “counterattack” in the next block where hackers launched attacks. MEV bots mint 4,915.91 BED and sell them by purchasing WETH, WBTC, and DPI, directly bringing the price back to the normal level. Since the TWAP oracle is used, the fluctuation of a single block cannot affect the final oracle price. So the attacker’s plan fell through and eventually lost 68 ETH.

As of 8th April, the extracted value of MeV had reached $608 million, of which 99.4% came from arbitrage. The value of MeV withdrawals over the past 30 days was $7.4 million.

Summary

As an important infrastructure of the DeFi ecosystem, the security of the oracle is the guarantee for the prosperity and development of the DeFi ecosystem. OKLink believes that the security audit should review the price algorithm and economic model of the oracle. When the project side designs the loan pool, the economic model of Staking&Lending should pay attention not only to the price but also to the liquidity. Poor liquidity will lead to easy manipulation of the token price. Targeted testing of the oracle should be strengthened before it is released to the public, and regular security checks should be conducted on the oracle after it is released.