Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.
Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months
Prior to these attacks, FEG had earned some notoriety from a May 2021 Vanity Fair article outlining an alleged pump-and-dump scheme, titled "Inside the Rise and Fall (and Rise and Fall) of Shit Coins". Despite the bad press, much of the FEG community maintained that the article was a smear and nothing more than an attempt by the author to create FUD. "You could literally take every token and this would apply to everyone..." wrote a moderator of the official FEG subreddit.
Deus had suffered a similar attack in March, with an attacker using a flash loan attack to steal more than $3.1 million. Deus reimbursed users who were liquidated in the incident.
According to Deus' CEO, the exploit in this incident was not the same one used in the previous attack. He wrote on Twitter that the exploit was "the first of its kind, a zero-day exploit on Solidly [decentralized crypto exchange] swaps".
Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.
Estimated damages to the project were higher than the amount the hacker was able to take for themselves — around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.
Elephant Money is a defi project with some questionable promises — its Twitter account advertises that people can "earn 672% APY", and a recent tweet encouraged people to use Elephant Money "as your new bank: Your share of ELEPHANT tokens can be compared to your debit account, except that it also generates you money. Stampede Perpetual Bonds is your retirement fund." Hopefully no one took them up on their suggestion to put their debit account balance or retirement money into the project.
The hacker complicated things somewhat for OneRing by covering their tracks. They used a "self-destruct" mechanism — typically used by developers to destroy smart contracts that are found to have a bug — to destroy the contract they used to carry out the attack, making it more difficult for OneRing to determine which parts of their codebase were vulnerable and led to the attack.
- "OneRing Finance exploit. Post-mortem — After OShare Hack.", OneRing Finance blog
- Tweet thread by PeckShield