Skip to main content
3 min read

InfinitySix Hit by Oracle Attack:
Exploiter Arbs 270k USDT via Stale TWAP Prices

According to monitoring by ExVul, the DeFi project InfinitySix on the BSC was targeted in a flash loan attack, resulting in a loss of approximately 273,800 USDT.

AUTOSEC.DEVAUTOSEC.DEV
InfinitySix Hit by Oracle Attack: Exploiter Arbs 270k USDT via Stale TWAP Prices
  • Attack Timestamp: March 31, 2026
  • Target Project: InfinitySix
  • Project Overview: InfinitySix is a DeFi protocol deployed on the BNB Chain (BSC) that features investment yield and referral reward mechanisms. Its core reward settlement logic relies on a Time-Weighted Average Price (TWAP) oracle.
  • Total Loss: ~$270,000
  • Attack Vector: Oracle Misconfiguration

Incident Review & Technical Details

  1. Attack Path:

    • Initial Positioning & Price Locking: The attacker initiated a flash loan of 270k WBNB via Moolah and borrowed approximately 125.9M USDT from Venus and PancakeSwap V3. They performed a small initial invest() to establish themselves as a legitimate "referrer." At this point, the TWAP price within the 1-minute window was locked at approximately 1.05 USDT/i6.
    • Massive Investment & Price Manipulation: Using a helper contract as the "invitee," the attacker deposited roughly 124M USDT. This triggered two outcomes: first, it generated a referral bonus of ~6.2M USDT for the attacker’s account; second, the massive buy-in caused the instantaneous spot price in the LP pool to skyrocket to 15,528 USDT/i6.
    • Exploiting Oracle Latency: Due to the 1-minute update delay of the TWAP oracle, when withdraw() was called within the same transaction, the contract still utilized the stale price of 1.05 USDT to calculate the number of tokens equivalent to the 6.2M USDT bonus.
    • Excessive Withdrawal & Dumping: Consequently, the attacker withdrew approximately 5.6M i6 tokens (whereas at the actual market price, they should have only received ~399 i6). The attacker then dumped all these i6 tokens back into the LP pool for USDT, repaid the flash loans, and exited with the profit.

  2. Impact: The liquidity pool for the project's $i6 token was nearly drained, causing the token price to collapse and resulting in severe capital losses for participants.

  3. Root Cause Analysis: This exploit is a classic case of oracle manipulation combined with architectural design flaws. The core vulnerabilities include:

    • Instant Reward Accrual: Allowing referral bonuses to be claimed immediately following a large capital injection.
    • Stale TWAP Usage: Settling high-value assets using an outdated average price rather than the real-time spot price during periods of extreme volatility.
    • Lack of Flash Loan Defenses: Absence of a same-transaction "cooling period" or withdrawal lock-up.

  4. Investigation Status: The attacker executed this arbitrage through a complex multi-step flash loan sequence, and the funds have been successfully bridged/laundered. It is recommended that similar protocols implement price deviation checks or integrate multi-source oracle verification when processing large-scale withdrawals.

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

  1. Team OPSEC (Operations Security) Audit & Hardening: We provide enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
  2. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

Reference

https://x.com/exvulsec/status/2038823338034987369