In one of the biggest exploits of the DeFi era, this morning an attacker siphoned over $ 37 million from Alpha Homora by leveraging Iron Bank’s Iron Bank protocol lending platform.
The Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:
Dear Alpha community, We are notified of an exploit on Alpha Homora V2. We are now working with Embed a Tweet And the Embed a Tweet Together on this.
The vulnerability was patched.
We are investigating the stolen money and we already have a prime suspect in it.
AlphaFinanceLab February 13, 2021
The treatment of exploitation is significantly complex. The attacker used Alpha Homora to frequently borrow and lend with Iron Bank, allowing leveraged loans. Some analysts have speculated that a fake “spell” (the term that carries the alpha trademark for a smart contract) was what enabled the vulnerability:
This necklace is a fake alpha humora spell, the Alpha Humura system thought it was their one
This “contract” is “owned” by Alpha pic.twitter.com/5OHlWh9Mi1
– Arundai (arrundai) February 13, 2021
The exploitation of the “spell / fake contract” conceptually reflects the “evil urn” attack on Pickle Finance, which earned the attacker $ 20 million late last year. In both cases, the exploited protocols wrongly responded to the fake contracts.
Soon after the successful exploitation, the attacker “notified” both Alpha and Iron Bank, which publishes 1,000 Ether each, and also made a donation to Gitcoin.
Careem Finance said in a statement on Twitter that the Iron Bank exploitation had not affected any of their other contracts, and that their financial markets were operating normally:
Karim’s contracts and markets were investigated and found to be operating as normal. Markets are re-enabled across V1 and V2.
Postmortem to follow.
CreamdotFinance February 13, 2021
Rescue Protocol?
The question now turns to how to compensate users in the event that the protocols cannot pressure the “prime suspect” to return the funds.
The Yearn.Finance and MakerDAO team set a precedent with “DAOs saving the DAOs” last week when MakerDAO allowed the creation of a custom Guaranteed Debt Center from the newly minted Yearn Cabinet.
While the scale of the exploitation is greater than the $ 11 million Yearn has suffered, some have speculated that Alpha will also print tokens to cover the loss – and some traders and institutions have already put themselves in place for such mitigation.
Intrepid chain watchers note that Three Arrows Capital sent more than $ 3 million in ALPHA tokens to Binance this morning, possibly with the intent to sell:
3AC sale Alpha dollars? Hey man.. pic.twitter.com/4xjlhZrIze
– Jason La Finance (Raez_x) February 13, 2021
Currently, ALPHA, the governance symbol for the protocol that has suffered losses, is down 20% to $ 1.83; CREAM, the governance token for the protocol that enabled the exploit, fell 16% to $ 222; AAVE, the governance token for the protocol the scalper used to get a quick loan, dropped 2% to $ 505.
