Alpha Homora loses $37 million following Iron Bank exploit

Though a “prime suspect” has been identified, how will the protocol make itself whole?

In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform. 

Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:

Dear Alpha community, we’ve been notified of an exploit on Alpha Homora V2. We’re now working with @AndreCronjeTech and @CreamdotFinance together on this.

The loophole has been patched.

We’re in the process of investigating the stolen fund, and have a prime suspect already.

— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021

The transaction from the exploit is notably complex. The attacker used Alpha Homora to borrow and lend repeatedly with Iron Bank, which allows for leveraged lending. Some analysts have speculated that a faked “spell” (Alpha’s branded term for a smart contract) is what enabled the exploit:

That contract is a faked Alpha Homora spell, Alpha Homora’s system thought it was one of their own;

That “contract” is “owned” by Alpha

— Arrundai (@arrundai) February 13, 2021

This “fake spell/contract” exploit conceptually echoes the “evil jar” attack on Pickle Finance that netted an attacker $20 million late last year. In both cases, the exploited protocols errantly responded to faked contracts. 

Shortly after the successful exploit, the attacker “tipped” the Alpha and Iron Bank deployers 1,000 Ether each, and also made a Gitcoin donation.

Cream Finance said in a statement on Twitter that the Iron Bank exploit did not impact any of their other contracts, and that their money markets were functioning normally:

C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal. Markets have been re-enabled across both V1 and V2.

Post mortem to follow.

— Cream Finance (@CreamdotFinance) February 13, 2021

Protocol Bailout?

The question now turns to how users will be compensated in the event the protocols cannot pressure their “prime suspect” into returning the funds. 

The Yearn.Finance team and MakerDAO set a precedent with “DAOs bailing out DAOs” last week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.

While the size of the exploit is larger than the $11 million Yearn suffered, some have speculated that Alpha will likewise print tokens to cover the loss — and some traders and institutions have already positioned themselves for such a dilution.

Intrepid chain activity monitors noticed that Three Arrows Capital sent over $3 million in ALPHA tokens to Binance this morning, possibly with the intention of selling:

3AC selling $Alpha? Oh man..

— Jason La Finance (@Raez_x) February 13, 2021

Currently, ALPHA, the governance token of the protocol which suffered the losses, is down 20% to $1.83; CREAM, the governance token of the protocol that enabled the exploit, is down 16% to $222; AAVE, the governance token of the protocol that the exploiter used for a flash loan, is down 2% to $505. 

iBTC 並非有關信息的提供者,不會為客戶或任何第三者對於該信息的(包括但不限於)正確性、品質、準確性、安全性、完整性、可靠性、性能、及時性、報價或持續可用性負責。本頁任何內容都不是投資建議

下載iBTC 手機APP