Inverse Finance: Oracle Price Manipulation (Flash Loan)
Inverse Finance was hit for $5.8M in bad debt — its second oracle manipulation attack in 60 days — after its custom yvCurve LP oracle used raw pool balances that could be distorted with a single 27,000 WBTC flash loan.
Summary #
Inverse Finance suffered a Lending / Money Market on 2022-06-16, resulting in a loss of approximately $6M.
What happened #
Inverse Finance was hit for $5.8M in bad debt — its second oracle manipulation attack in 60 days — after its custom yvCurve LP oracle used raw pool balances that could be distorted with a single 27,000 WBTC flash loan.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited oracle addition]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker funded via Tornado Cash 2 minutes before exploit — a known pre-attack pattern]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — massive pool balance distortion detectable on Curve]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Original protocol with Compound-style mechanics]