The recent attack on @CurveFinance (with loss) and @InverseFinance (no loss) is a price manipulation attack. The root cause: Curve Lend's liquidation mechanism is incompatible with atomically-changable oracles. Attack process: (1) the attacker soft-liquidates all users' collateral. Making them "sell" their collateral into crvUSD. (2) The attacker donated to the sDOLA pool to drive the oracle price. (3) Hard-liquidate all users who are soft-liquidated. Users' crvUSD debt are repaid by their crvUSD collateral and remaining goes to the liquidator (attacker). (4) deposit the sDOLA collateral gained to curveLend and borrow crvUSD (for repaying flashloan). Why this attack happened? First, curve Lend has "soft-liquidation" and "hard-liquidation" (assuming you already know the basic background). Soft-liquidation's AMM is based on oracle rather than the curve. When price changes largely atomically, the impermanent loss is instantly realized. EVen when the final price of the collateral is higher than before, the user still got liquidated (because of the impermanent loss, step 1). While others may point out this is a problem in sDOLA's donation, I'd like to say this is not a problem in most cases, it only goes wrong combined with the liquidation. Also, $sDOLA farmers are enjoying their juicy overnight yield of 10%!

@CurveFinance @InverseFinance I want to add @InverseFinance is not the victim. @CurveFinance Lend loopers are actually rekt.

@CurveFinance @InverseFinance I want to add that @InverseFinance is not the victim. @CurveFinance Lend sDOLA market loopers are actually rekt.