Alchemix patches ‘Reverse Rug’ exploit, address $6.5 million shortfall

Published at: June 16, 2021

It’s as miraculous as Aladdin taking off on a magic carpet: in a possible first, some of the users of a decentralized finance protocol were the ones to benefit today from an exploit, turning the concept of a ‘rugpull’ on its head. 

A colloquialism for when liquidity is drained from a project (often an unscrupulous founder or developer draining the funds themselves), depositors and DeFi users are most often the ones holding bad debt and/or worthless tokens — left to hope for compensation plans that can take months or even years to fully vest.

In an exploit today, however, the users are the ones who got to pull at the seams for a change.

This morning, Alchemix announced that the contracts for one of their synthetic assets, alETH, had experienced an “incident.”

There has been an incident with the Alchemix alETH contracts. Together with the fantastic team at @iearnfinance, we have identified the error and are both working on a post-mortem and a solution to the problem.Funds are safe.

— Alchemix (@AlchemixFi) June 16, 2021

In a incident report published later in the day, Alchemix developer “n4n0” said that “an issue with the deployment script of the alETH vault accidentally created additional vaults,” some of which the protocol used to incorrectly calculate outstanding debts, which in turn meant protocol funds were used to “pay off user debts.”

As a result, for a short window of time users were able to withdraw their ETH collateral with their alETH loans still outstanding — a rugpull by the community to the tune of $6.5 million.

Alchemix innovating again... this time with the reverse rugpull.. a 'rugput'Joking aside there was a little incident with the new alETH vault in which nobody lost any funds but some users actually gained@n4n084191635 with a great incident report herehttps://t.co/Vo3cWRnZPx pic.twitter.com/68G3y1s3x0

— ⟠ toast.eth (@intocryptoast) June 16, 2021

Per the incident report, the team paused the mint contract for alETH two and a half hours after the exploit was discovered. The report notes that no users lost funds as a result of the exploit, and that Yearn.Finance — whose yield vaults automatically repay Alchemix’s synthetic loans — suffered no loss as well. Additionally, a “conservative” initial debt ceiling prevented the protocol loss from being more extreme. 

The team, including incident report author n4n0 appear to be taking the loss in stride:

Damn this alETH incident is producing the dankest memes ngl. Credit to @alibyte pic.twitter.com/brk5gUfpST

— n4n0 (@n4n084191635) June 16, 2021

A trio of solutions is being deployed to cover the shortfall, including a temporary increase in protocol fees, a injection of ETH liquidity from Alchemix’s treasury, and a sale of DAI from the treasury for additional ETH. The team says they will be deploying an entirely new vault to address the flaws of the original. 

Further changes may be on the horizon for the alETH asset as well. Alchemix currently has a alETH/ETH pool live on Saddle, a VC-backed fork of Curve Finance, following Curve reportedly turning down creating a pool for the synthetic Ether. However, in the past 48 hours the Curve social media account has been making overtures in an effort to bring Alchemix’s latest synthetic asset back.

Tags
Ethereum
Defi
Dao
Hacks
Related Posts
Alpha Homora loses $37 million following Iron Bank exploit
In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform. Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”: Dear Alpha community, we've been notified of an exploit on Alpha Homora V2. We're now working with @AndreCronjeTech and @CreamdotFinance together on this. The loophole has been patched. We're in …
Ethereum / Feb. 13, 2021
Bunny and Qubit turns to DAO following $80 million bug exploit
The development team behind Bunny Finance and Qubit has decided to disband the protocol and turn it into a decentralized autonomous organization (DAO). In an official medium post published on Friday, The Bunny Finance team announced that the exploit on Qubit that resulted in $80 million worth of loss has made it impossible for the team to operate at full scale. Thus, they have decided to disband the protocols and give authority to the community. As reported earlier by Cointelegraph, the Qubit bridge called X-bridge facilitated tokens swaps from Ethereum (ETH) to Binance Smart Chain (BSC). The hacker behind the …
Ethereum / Feb. 11, 2022
As Yearn.Finance’s yield vaults grow, ‘crop’ projects define boundaries
With millions and even billions of dollars at stake, industrial-scale yield farming is leading to pockets of resistance as some projects refuse to be left with the chaff. In the past week, team members from no-loss lottery project PoolTogether and exchange liquidity pool provider Curve Finance have proposed ways to reduce the load Yearn.Finance strategies place on their protocols and governance tokens. In a Tweet on Sunday, PoolTogether co-founder Leighton Cusack noted that Yearn has become the primary beneficiary of many of the protocol’s DAI lotteries, as Yearn controls 57% of all DAI funds ($27 million of the $47 million …
Ethereum / June 15, 2021
A million down, a billion to go: How does DeFi reach mass adoption?
A report on Friday from Ethereum metrics website Dune Analytics showed that the decentralized finance (DeFi) ecosystem now counts over 1 million unique Ethereum addresses as participants — an over tenfold increase from the 91,000 addresses on Dec. 6, 2019. But while the growth has been undeniable, some experts caution not to interpret the milestone as a sign of widespread adoption. In fact, in order for DeFi to truly break mainstream, many of the emerging vertical’s proponents may have to rethink their communication and outreach strategies. The Dune Analytics report, compiled by aggregating the total number of addresses which have …
Blockchain / Dec. 7, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022