In one of the largest exploits of the DeFi era, this morning an attacker successfully drained over $37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform.
Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, announced on Twitter this morning that they were aware of an attack, that the “loophole” that allowed it had been patched, and that the team had a “prime suspect”:
Dear Alpha community, we've been notified of an exploit on Alpha Homora V2. We're now working with @AndreCronjeTech and @CreamdotFinance together on this.— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021
The loophole has been patched.
We're in the process of investigating the stolen fund, and have a prime suspect already.
The transaction from the exploit is notably complex. The attacker used Alpha Homora to borrow and lend repeatedly with Iron Bank, which allows for leveraged lending. Some analysts have speculated that a faked “spell” (Alpha’s branded term for a smart contract) is what enabled the exploit:
That contract is a faked Alpha Homora spell, Alpha Homora's system thought it was one of their own;— Arrundai (@arrundai) February 13, 2021
That "contract" is "owned" by Alpha pic.twitter.com/5OHlWh9Mi1
This “fake spell/contract” exploit conceptually echoes the “evil jar” attack on Pickle Finance that netted an attacker $20 million late last year. In both cases, the exploited protocols errantly responded to faked contracts.
Shortly after the successful exploit, the attacker “tipped” the Alpha and Iron Bank deployers 1,000 Ether each, and also made a Gitcoin donation.
Cream Finance said in a statement on Twitter that the Iron Bank exploit did not impact any of their other contracts, and that their money markets were functioning normally:
C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal. Markets have been re-enabled across both V1 and V2.— Cream Finance (@CreamdotFinance) February 13, 2021
Post mortem to follow.
The question now turns to how users will be compensated in the event the protocols cannot pressure their “prime suspect” into returning the funds.
The Yearn.Finance team and MakerDAO set a precedent with “DAOs bailing out DAOs” last week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.
While the size of the exploit is larger than the $11 million Yearn suffered, some have speculated that Alpha will likewise print tokens to cover the loss — and some traders and institutions have already positioned themselves for such a dilution.
Intrepid chain activity monitors noticed that Three Arrows Capital sent over $3 million in ALPHA tokens to Binance this morning, possibly with the intention of selling:
Currently, ALPHA, the governance token of the protocol which suffered the losses, is down 20% to $1.83; CREAM, the governance token of the protocol that enabled the exploit, is down 16% to $222; AAVE, the governance token of the protocol that the exploiter used for a flash loan, is down 2% to $505.