Alpha Homora loses $37 million following Iron Bank exploit

Published at: Feb. 13, 2021

In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform. 

Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:

Dear Alpha community, we've been notified of an exploit on Alpha Homora V2. We're now working with @AndreCronjeTech and @CreamdotFinance together on this.The loophole has been patched. We're in the process of investigating the stolen fund, and have a prime suspect already.

— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021

The transaction from the exploit is notably complex. The attacker used Alpha Homora to borrow and lend repeatedly with Iron Bank, which allows for leveraged lending. Some analysts have speculated that a faked “spell” (Alpha’s branded term for a smart contract) is what enabled the exploit:

That contract is a faked Alpha Homora spell, Alpha Homora's system thought it was one of their own;That "contract" is "owned" by Alpha pic.twitter.com/5OHlWh9Mi1

— Arrundai (@arrundai) February 13, 2021

This “fake spell/contract” exploit conceptually echoes the “evil jar” attack on Pickle Finance that netted an attacker $20 million late last year. In both cases, the exploited protocols errantly responded to faked contracts. 

Shortly after the successful exploit, the attacker “tipped” the Alpha and Iron Bank deployers 1,000 Ether each, and also made a Gitcoin donation.

Cream Finance said in a statement on Twitter that the Iron Bank exploit did not impact any of their other contracts, and that their money markets were functioning normally:

C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal. Markets have been re-enabled across both V1 and V2. Post mortem to follow.

— Cream Finance (@CreamdotFinance) February 13, 2021

Protocol Bailout?

The question now turns to how users will be compensated in the event the protocols cannot pressure their “prime suspect” into returning the funds. 

The Yearn.Finance team and MakerDAO set a precedent with “DAOs bailing out DAOs” last week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.

While the size of the exploit is larger than the $11 million Yearn suffered, some have speculated that Alpha will likewise print tokens to cover the loss — and some traders and institutions have already positioned themselves for such a dilution.

Intrepid chain activity monitors noticed that Three Arrows Capital sent over $3 million in ALPHA tokens to Binance this morning, possibly with the intention of selling:

3AC selling $Alpha? Oh man.. pic.twitter.com/4xjlhZrIze

— Jason La Finance (@Raez_x) February 13, 2021

Currently, ALPHA, the governance token of the protocol which suffered the losses, is down 20% to $1.83; CREAM, the governance token of the protocol that enabled the exploit, is down 16% to $222; AAVE, the governance token of the protocol that the exploiter used for a flash loan, is down 2% to $505. 

Tags
Dao
Related Posts
Alchemix patches ‘Reverse Rug’ exploit, address $6.5 million shortfall
It’s as miraculous as Aladdin taking off on a magic carpet: in a possible first, some of the users of a decentralized finance protocol were the ones to benefit today from an exploit, turning the concept of a ‘rugpull’ on its head. A colloquialism for when liquidity is drained from a project (often an unscrupulous founder or developer draining the funds themselves), depositors and DeFi users are most often the ones holding bad debt and/or worthless tokens — left to hope for compensation plans that can take months or even years to fully vest. In an exploit today, however, the …
Ethereum / June 16, 2021
Bunny and Qubit turns to DAO following $80 million bug exploit
The development team behind Bunny Finance and Qubit has decided to disband the protocol and turn it into a decentralized autonomous organization (DAO). In an official medium post published on Friday, The Bunny Finance team announced that the exploit on Qubit that resulted in $80 million worth of loss has made it impossible for the team to operate at full scale. Thus, they have decided to disband the protocols and give authority to the community. As reported earlier by Cointelegraph, the Qubit bridge called X-bridge facilitated tokens swaps from Ethereum (ETH) to Binance Smart Chain (BSC). The hacker behind the …
Ethereum / Feb. 11, 2022
As Yearn.Finance’s yield vaults grow, ‘crop’ projects define boundaries
With millions and even billions of dollars at stake, industrial-scale yield farming is leading to pockets of resistance as some projects refuse to be left with the chaff. In the past week, team members from no-loss lottery project PoolTogether and exchange liquidity pool provider Curve Finance have proposed ways to reduce the load Yearn.Finance strategies place on their protocols and governance tokens. In a Tweet on Sunday, PoolTogether co-founder Leighton Cusack noted that Yearn has become the primary beneficiary of many of the protocol’s DAI lotteries, as Yearn controls 57% of all DAI funds ($27 million of the $47 million …
Ethereum / June 15, 2021
A million down, a billion to go: How does DeFi reach mass adoption?
A report on Friday from Ethereum metrics website Dune Analytics showed that the decentralized finance (DeFi) ecosystem now counts over 1 million unique Ethereum addresses as participants — an over tenfold increase from the 91,000 addresses on Dec. 6, 2019. But while the growth has been undeniable, some experts caution not to interpret the milestone as a sign of widespread adoption. In fact, in order for DeFi to truly break mainstream, many of the emerging vertical’s proponents may have to rethink their communication and outreach strategies. The Dune Analytics report, compiled by aggregating the total number of addresses which have …
Blockchain / Dec. 7, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022