Fringe Profile picture
Apr 6 10 tweets 4 min read
Lessons from Inverse Finance's hack.

@InverseFinance was hacked for $15 Million, which should not make anyone in #DeFi happy.

Here's a thread 🧵reflecting on what we (and others) can do to avoid going through the same.

More info at:…

Starts here👇

In short, the #exploit employed a vulnerability whereby the market price for a collateral token ( $INV) was manipulated to be higher than it should.

Why higher?🧐

So that the attacker could take out a collateralized loan for more than they should have.

By withdrawing more assets than they should have been able to, the exploiter has an open window to repeatedly follow this process, profiting at each round.

The hacker achieved this by manipulating a TWAP feed, an oracle source flagged as problematic multiple times. Image

The main problem with TWAP (Time-Weighted Average Price) feeds (and why #Fringe does not use them) is that they originate from DEXs.

A DEX like @Uniswap 🦄 enables the permissionless listing of any given asset. This causes some assets, like $INV, to have low volumes...

...which can then allow traders to, with their activity, manipulate the price.

A manipulated TWAP oracle means, in short, that any platform that uses the oracle will suffer from its manipulation.

To avoid this, using decentralized oracles such as @chainlink's is key.

It's no coincidence that, after the exploit, Inverse announced it'd be replacing its TWAP feeds through a collaboration with Chainlink.

However, there's something else a protocol can do to protect itself from such an attack: To make it unprofitable.👀

Fringe Finance has special protections in place that make these attacks too costly to execute.

This works by including a maximum aggregate borrowing capacity for any given collateral asset, based on the overall market liquidity for that asset.

Therefore, tokens with low market liquidity, which could otherwise have their price manipulated, could not be used to take out high enough loans. Even if using TWAP feeds.

In other words, manipulating a single asset's price would NOT guarantee a borrower a juicy return.

This simple limitation cuts out the incentive to attack, vastly increasing its difficulty.

As you know, Fringe is committed to being one of the most secure platforms in #DeFi. As such, our intention with this thread is to inform users of good practices to look out for.

Regardless of whether a given project is a "competitor" or not, DeFi's success is everyone's success. We wish nothing but to see this industry become as secure as it should be in these initial stages. DeFi is for everyone.

What good practices would you like to see more?

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Fringe

Fringe Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fringefinance

Apr 8

Tutorials for profiting from DeFi are a dime a dozen on Twitter.

And yet, most people manage to come out with less than they started with.

How do they do it? How can guarantee being left poor, or worse, exploited?

Here's our guide:
Option #1: Abuse collateralization limits

The math is simple: If you have $500 in $ETH with a 75% LVR, you may borrow $333 at max

If ETH falls by even a cent, you will be vulnerable to fees/liquidations in this scenario.

To lose your money, always borrow as much as possible! Image
Option #2: Use Liquidity Pools with 0 education

To lose money, don't have a plan when providing liquidity. Impermanent loss is scary. Prevent further losses by reacting impulsively! Withdraw if things go south.

Exotic pairs and ranges without a plan also almost guarantee loss.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!