Inertia has published a post-mortem report linking a recent exploit that drained assets from five lending markets to a known weakness in the ERC4626 tokenized vault standard. The attack allowed fraudsters to manipulate the pricing of roETH, a collateral token used across Inertia's lending pools, the report said.
The Post-Mortem Findings
The report, released Tuesday, detailed how the attackers exploited an old vulnerability in the ERC4626 implementation. The flaw made it possible to artificially alter the perceived value of roETH collateral, letting the attackers borrow more than their deposits should have allowed. Inertia did not name the specific lending markets affected or specify the total value lost.
How the Exploit Worked
According to the post-mortem, the manipulation started with a series of carefully timed transactions. By exploiting the ERC4626 weakness, the attackers could inflate the price of roETH within Inertia's oracle-driven pricing system. This gave them the ability to open large, undercollateralized positions across multiple lending markets simultaneously. The report described the vulnerability as an “old weakness”—a reminder that even widely adopted standards can harbor risks long after their introduction.
Impact Across Five Lending Markets
Assets were drained from five distinct lending markets before the exploit was detected and halted. Inertia did not disclose the identities of the affected pools or whether any user funds were recovered. The post-mortem focused on the technical underpinnings of the attack, offering no immediate updates on compensation plans for depositors.
Inertia said it has since deployed additional monitoring and is working with security auditors to review its broader smart-contract infrastructure. The company did not announce a timeline for patching the specific ERC4626 flaw, nor did it say whether the attackers had been identified.
