Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 088Oracle Manipulation

Inverse Finance Oracle Manipulation

$15.6M drained from Inverse Finance by manipulating its Keep3r INV/ETH oracle via a private mempool bundle, bypassing TWAP in a single invisible block.

Date
Victim
Inverse Finance
Chain(s)
Ethereum
Status
Funds Stolen

On April 2, 2022, the lending protocol Inverse Finance was exploited for approximately $15.6 million through a sophisticated oracle-manipulation attack on its Anchor lending market. The attacker bypassed standard TWAP protections by routing the manipulation through a private mempool bundle — making the exploit invisible to the arbitrage bots that would normally have neutralized it.

What happened

Inverse's Anchor markets used the Keep3r oracle to track the INV/ETH price. Anchor accepted INV as collateral and let users borrow other assets against it based on the Keep3r-reported price.

The Keep3r oracle was meant to be flash-loan-resistant via time-weighted averaging — but the implementation read its underlying price feed from a Sushiswap INV/WETH pool with very thin liquidity. The attacker realised they could move the pool's price drastically with a modest one-off swap, and as long as the price recorded in that block was the artificially manipulated one, the TWAP would shift enough to enable borrowing.

The sophisticated wrinkle: the attacker did not use a flash loan. They used 500 ETH of their own funds and submitted the price-manipulation transaction directly to miners via a private bundle (Flashbots-style submission). Because the manipulation never appeared in the public mempool, arbitrage bots could not see it and could not bring the price back in line before Anchor consumed the manipulated reading.

The sequence:

  1. Submit a private bundle: swap 500 ETH → 1.7K INV through the thin Sushiswap pool, pushing INV's price up roughly 50×.
  2. In the same block, deposit 1.7K INV as collateral on Anchor — collateral value at manipulated price: enough to borrow tens of millions.
  3. Borrow 1,588 ETH, 94 WBTC, 4M DOLA, and 39.3 YFI — together worth $15.6M.
  4. Walk with the borrowed funds; the manipulated INV collateral is worth only ~$644K at fair price.

Aftermath

  • Inverse paused affected markets and patched the oracle to use more liquid pools and stricter TWAP windows.
  • A second exploit two months later (June 2022) drained an additional $5.8M through a related but distinct oracle-manipulation path.
  • Inverse community reimbursed losses gradually via a debt-token issuance and protocol revenue.

Why it matters

Inverse Finance is the textbook case for why oracle attacks did not stop at flash loans. The defensive industry response to flash-loan oracle manipulation — TWAP, decoupled price feeds, deviation guards — was already in place at Inverse. The attacker simply used their own capital and private transaction routing to defeat the public-mempool arbitrage mechanism that TWAP relies on to stay accurate.

The deeper lesson: oracle security is a function of the liquidity behind the price, not the elegance of the smart-contract code consuming it. A TWAP over a thin pool is a TWAP over manipulable data. Modern lending protocols require multi-source oracle medians and hard liquidity-thresholds before accepting a long-tail asset as collateral.

Sources & on-chain evidence

  1. [01]medium.comhttps://medium.com/@RedStone_Finance/oracle-attacks-1-inverse-finance-15m-stolen-9fffb03d5171
  2. [02]certik.comhttps://www.certik.com/resources/blog/inverse-finance-02-april-2022
  3. [03]therecord.mediahttps://therecord.media/more-than-15-million-stolen-after-hackers-exploit-defi-platform-inverse-finance

Related filings