Home
News
Details

Inertia Exploit Highlights Persistent ERC4626 Vulnerabilities in DeFi Lending

iconAMBCrypto
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
INIT
$0.053157-1.93%
This is the logo of the coin.
TIA
$0.30492.59%
This is the logo of the coin.
USDC
$1.000%
AI summary iconSummary

expand icon
DeFi lending protocol Inertia suffered a $152,000 exploit on 25 May due to an ERC4626 vulnerability. Attackers manipulated roETH collateral prices across five markets—USDC, INIT, sINIT, TIA, and roTIA—over a one-hour and 13-minute window. The exploit caused a 99.7% drop in roETH supply and inflated its exchange rate 27x, from 1.234 to 33.75 stETH. Inflation data remains a critical concern as the protocol acknowledged oracle failures. Insurance Fund payouts restored balances, and lending has resumed. Inertia will implement multi-source oracle validation, tighter collateral rules, and deviation circuit breakers to prevent future attacks. Market reactions may reflect shifts in the fear and greed index as traders assess risk.

DeFi lending protocol Inertia says a recent exploit that drained roughly $152,000 across multiple lending markets stemmed from a long-known ERC4626 vulnerability class that still bypassed key oracle and risk-management protections.

In a detailed post-mortem published on 25 May, the protocol said attackers manipulated the price of roETH collateral before borrowing assets across five Inertia lending markets.

The exploit affected USDC, INIT, sINIT, TIA, and roTIA markets during an attack window lasting roughly one hour and 13 minutes.

AD

Inertia said its Insurance Fund has already restored all affected user balances and confirmed lending operations have resumed.

Attack exploited known ERC4626 share-price weaknesses

According to the protocol, attackers used a combination of supply reduction and direct token donations to manipulate the exchange rate of the roETH liquid staking contract.

The exploit centered on a known ERC4626 vulnerability pattern involving share-price accounting mechanics.

Inertia said the attackers first reduced the circulating roETH supply by roughly 99.7% through a withdrawal request. They then transferred wstETH directly into the contract without minting additional shares.

That sharply inflated the reported exchange rate.

The protocol said roETH’s reported value jumped from roughly 1.234 stETH per token to nearly 33.75 stETH, creating an inflation factor of around 27x.

Attackers then used the inflated collateral value to drain assets across multiple lending pools.

Oracle safeguards failed to stop abnormal pricing

Inertia said the exploit succeeded not only because of the liquid staking contract vulnerability, but also because its own pricing safeguards failed to contain the manipulated collateral value.

The protocol admitted its pricing system lacked:

  • upper-bound price deviation controls,
  • secondary oracle validation,
  • effective real-time alert responses,
  • and per-account borrowing rate limits.

The protocol also acknowledged that the ERC4626 vulnerability class has been publicly documented since 2022 and already has widely available mitigations.

Inertia plans broader risk-control overhaul

Following the exploit, Inertia said it will overhaul parts of its oracle architecture and collateral review framework.

The protocol plans to introduce:

  • multi-source oracle validation,
  • deviation circuit breakers,
  • tighter listing reviews,
  • and stricter monitoring around liquid staking collateral assets.

Inertia also said it continues coordinating recovery efforts tied to assets that remain traceable across validator queues, liquidity pools, and bridge infrastructure.

Final Summary

  • Inertia said attackers exploited a known ERC4626 vulnerability to inflate roETH collateral prices and drain roughly $152,000 from lending markets.
  • The protocol acknowledged failures in its own oracle safeguards and has begun implementing stricter pricing and risk controls.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.