DeFi protocol Inverse Finance suffered a flash loan exploit this morning leading to a loss of about $1.2 million.
The exploit was launched using an initial fund of 1 Eth which was later withdrawn using Tornado Cash.
The attacker then carried out a flash loan using 27,000 wrapped bitcoin (worth about $579 million) at around 4:47 a.m. ET, according to an on-chain data.
The exploited funds included 53 BTC and 100,000 USDT.
The attackers account currently has 68 Eth while 1000 Eth were deposited to Tornado Cash.
As a response, Inverse Finance tweeted that no user funds were taken or were at risk.
The company has also temporarily paused borrowing and announced that DOLA was removed from their money market Frontier.
According to the security firm PeckShield, the exploit was made possible due to price oracle manipulation, which misused the balances of assets in the pool to directly calculate the LP token price.
This was facilitated by the flash loan to skew the reserves in the pool.
Only in April, Inverse Finance was attacked by another hacker leading to a loss of about $15.6 million worth of crypto.
The attacker successfully manipulated the price of INV tokens by accessing Oracle on a decentralized exchange Sushiswap.