Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million. The affected market—yvcrv3crypto—utilized Chainlink price data instead of the internal exchange rate of the Curve protocol, which allowed the attacker to flashborrow 27,000 in wBTC and trade it into the tricrypto pool, which caused the price of the yvcrv3crypto LP token to jump in value, in the eyes of the oracle and created an opportunity to borrow DOLA against that collateral in Frontier. You can see the Etherscan here.
While we did incorporate Chainlink oracles as part of our own price feed to determine the underlying asset price for the yvcrv3crypto LP token, the actual AMM LP token price feed of the token in this incident was manipulated much higher, enabling the attacker to execute the incident. It is worth noting that this oracle implementation was reviewed by a competent third-party team as well. By relying on the Chainlink oracle for individual tokens, which was correct, the price feed incorrectly calculated the value of the AMM LP tokens.
How are Users of Frontier and the DAO affected?
No user-deposited collateral was affected in this incident, only that of the attacker, whose yvcrv3crypto collateral has been liquidated. As the attacker borrowed DOLA supplied by the Frontier Fed, Inverse Finance DAO did incur $5.8 million in bad DOLA debt. This means that Inverse Finance DAO now in effect owes itself (the Frontier Fed) in addition to the $3.65MM in DOLA debt incurred in the April 2, 2022 incident. Since this is a debt that Inverse Finance DAO owes to itself, there are no individual users directly affected by this incident which therefore requires no modifications to the make-good plan for the affected April 2nd users beyond what we have previously announced and begun executing against in response to the April 2, 2022 incident.
How does this affect DOLA?
The DAO aggressively defended the DOLA peg today, providing further evidence of DOLA’s resiliency against attacks like this one, regardless of market conditions. The amount of DOLA liquidity deployed across DOLA Fed contracts was contracted and expanded today in exactly the way they are supposed to operate in such a situation.
What steps are being taken?
First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty.
Second, we are gathering data about the attack that we hope to utilize to recover the funds. We will also make this data available to anyone interested in helping us recover the funds and are offering a generous bounty:
Despite getting help from a competent third-party team to review the architecture and implementation of the oracle involved in today’s incident, we are adding additional security operations talent to the Inverse team. Since the April 2nd incident, we benefited from generous security operations contributions from DAO contributors as well as from a third-party consulting firm, but the events of today show we can and must do better.
The bug bounty program we announced in May has already yielded results for us and we will continue to promote this in the developer community.
Borrowing on all assets on Frontier is paused temporarily, though we expect borrowing against assets with Chainlink-only feeds as well as INV to resume shortly. Details about the resumption of DOLA borrows against Yearn assets will be shared soon.
We are continuing to build multiple new products at Inverse and are looking forward to sharing these with you in the coming weeks. An existing draft proposal on GovernorMills to add fresh INV rewards to Frontier is still under discussion, and we are now considering an update to the proposal to make the INV allocation more aggressive, especially when pairing with these pending new product announcements.
We are also taking immediate steps to incentivize additional liquidity in the DOLA-3POOL. More information on this is coming soon.