Alpha Homora loses $37 million following Iron Bank exploit

In one of the biggest exploits of the DeFi era, this morning an attacker siphoned over $ 37 million from Alpha Homora by leveraging Iron Bank’s Iron Bank protocol lending platform.

The Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:

The treatment of exploitation is significantly complex. The attacker used Alpha Homora to frequently borrow and lend with Iron Bank, allowing leveraged loans. Some analysts have speculated that a fake “spell” (the term that carries the alpha trademark for a smart contract) was what enabled the vulnerability:

The exploitation of the “spell / fake contract” conceptually reflects the “evil urn” attack on Pickle Finance, which earned the attacker $ 20 million late last year. In both cases, the exploited protocols wrongly responded to the fake contracts.

Soon after the successful exploitation, the attacker “notified” both Alpha and Iron Bank, which publishes 1,000 Ether each, and also made a donation to Gitcoin.

Careem Finance said in a statement on Twitter that the Iron Bank exploitation had not affected any of their other contracts, and that their financial markets were operating normally:

Rescue Protocol?

The question now turns to how to compensate users in the event that the protocols cannot pressure the “prime suspect” to return the funds.

The Yearn.Finance and MakerDAO team set a precedent with “DAOs saving the DAOs” last week when MakerDAO allowed the creation of a custom Guaranteed Debt Center from the newly minted Yearn Cabinet.

While the scale of the exploitation is greater than the $ 11 million Yearn has suffered, some have speculated that Alpha will also print tokens to cover the loss – and some traders and institutions have already put themselves in place for such mitigation.

Intrepid chain watchers note that Three Arrows Capital sent more than $ 3 million in ALPHA tokens to Binance this morning, possibly with the intent to sell:

Currently, ALPHA, the governance symbol for the protocol that has suffered losses, is down 20% to $ 1.83; CREAM, the governance token for the protocol that enabled the exploit, fell 16% to $ 222; AAVE, the governance token for the protocol the scalper used to get a quick loan, dropped 2% to $ 505.