In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform.
Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:
The transaction from the exploit is notably complex. The attacker used Alpha Homora to borrow and lend repeatedly with Iron Bank, which allows for leveraged lending. Some analysts have speculated that a faked “spell” (Alpha’s branded term for a smart contract) is what enabled the exploit:
This “fake spell/contract” exploit conceptually echoes the “evil jar” attack on Pickle Finance that netted an attacker $20 million late last year. In both cases, the exploited protocols errantly responded to faked contracts.
Shortly after the successful exploit, the attacker “tipped” the Alpha and Iron Bank deployers 1,000 Ether each, and also made a Gitcoin donation.
Cream Finance said in a statement on Twitter that the Iron Bank exploit did not impact any of their other contracts, and that their money markets were functioning normally:
The question now turns to how users will be compensated in the event the protocols cannot pressure their “prime suspect” into returning the funds.
The Yearn.Finance team and MakerDAO set a precedent with “DAOs bailing out DAOs” last week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.
While the size of the exploit is larger than the $11 million Yearn suffered, some have speculated that Alpha will likewise print tokens to cover the loss — and some traders and institutions have already positioned themselves for such a dilution.
Intrepid chain activity monitors noticed that Three Arrows Capital sent over $3 million in ALPHA tokens to Binance this morning, possibly with the intention of selling:
Currently, ALPHA, the governance token of the protocol which suffered the losses, is down 20% to $1.83; CREAM, the governance token of the protocol that enabled the exploit, is down 16% to $222; AAVE, the governance token of the protocol that the exploiter used for a flash loan, is down 2% to $505.