Washing crypto is a problem as exploiter gets away with $15 million
Inverse Finance today was drained as an attacker made off with $15 million in crypto before washing it through Tornado Cash.
Inverse Finance is the latest victim of a DeFi exploit resulting in the loss of over $15 million, Peckshield revealed this weekend. The blockchain security firm released a tweet simply stating, “Hi, @InverseFinance, you may want to take a look,” linked to a transaction on Etherscan.
Washing crypto through Tornado Cash
Over the past few hours, the exploiter sent hundreds of Ethereum transactions to Tornado Cash. Tornado Cash is a standard tool among hackers and exploiters to attempt to obfuscate their transaction history. They describe their service as a tool that “improves transaction privacy by breaking the on-chain link between source and destination addresses. It uses a smart contract that accepts ETH deposits that a different address can withdraw.”
Users generate a random key and deposit ETH along with the note. The user then provides proof of the key to the note from another wallet to withdraw the ETH, thus breaking the transaction chain that “only the user possessing the Note can link deposit and withdrawal.”
The exploit involved a TWAP oracle which requires manipulating the price of a governance token of a DeFi project with low liquidity. TWAP stands for Time Weighted Average Price and “is constructed by reading the cumulative price from an ERC20 token pair at the beginning and the end of the desired interval. The difference in this cumulative price can then be divided by the length of the interval to create a TWAP for that period.” A detailed explanation of the exploit is available via a thread created by Chainlink community ambassador, ChainLinkGod.
Another day, another TWAP oracle manipulation
Notes:
1. TWAP time sample was too short
2. DEX liquidity significantly thinner than CEX liquidity
3. On-chain arb opportunities removed by attacker
4. CEX-DEX arb did not occur
5. Market-wide price not as affected as DEX pricing https://t.co/qSgpzAKGxS— ChainLinkGod.eth (@ChainLinkGod) April 2, 2022
The Inverse Finance response
Inverse Finance took to Twitter Spaces this evening to speak about the events of the exploit. In it, they explain how all decisions go through the on-chain governance of the DAO. A question is thus raised as to whether this allows for fast-moving decision-making during crises such as this. The team appeared extremely calm and collected during the Twitter Space, describing the oracle manipulation very matter-of-factly. They blame ‘arbitrage inefficiency’ as the exploiter used $500,000 of collateral to steal $15 million in minutes.
The DAO has now activated the Guardian rule on Anchor to prevent future borrows through the protocol used during the exploit. This is meant to “mitigate any future attacks of the same kind.” They then explain how their “peg protection”allows them to quickly restore market pegs and incentives, which they used in the aftermath of the exploit. The Twitter Space goes on for a further 30 minutes, explaining other features of Inverse Finance in an appeal to restore confidence in the project.
Exploits are not hacks.
What is important to note here is that the person responsible for this action is not a hacker, as some may report. Many articles currently ask, “If DeFi is so great, why does it keep getting hacked?” The answer is that most exploits are not hacks. No code or security permissions were cracked during this latest incident. Instead, an individual took advantage of an oversight by developers.
DeFi involves many moving parts, which are less than five years old. The excitement for such projects is high enough that investors are willing to deposit funds into unproven projects in the hope of enjoying outsized gains.
The governance token of Inverse Finance, INV, usually has a daily average volume of around $900,000 with a market cap of $31 million. The volume is up 5000% today due to the exploit, and the TVL of the project is currently reported at around $27 million. These numbers appear low for the world of crypto but, in reality, are amounts that would be life-changing for most people around the world. It took $500,000 to execute the exploit, which resulted in a 2,900% increase for the ‘attacker.’
By washing the money through Tornado Cash, the argument in favor of DeFi that all transactions are traceable becomes much weaker. The only way, I can see, is to follow the money. The exploiter sent ETH in 100, 10, and 1 denomination. Thus, in this case, tracking it would require tracing every withdrawal of those amounts from Tornado Cash over the foreseeable future. A task that is not viable. Even if this could be achieved, they didn’t do anything illegal. Against the terms of use? Most likely. Questionably ethical? Certainly, but, as we know, DeFi regulation is an evolving area, and this incident came about by someone making completely legal trades on a public blockchain.
DeFi is a work in progress. It highlights a growing need for better practices and increased testing in web3 development. We hope public confidence isn’t ruined by the almost daily reports of DeFi exploits.