Officially: Leverage liquidity protocol Alpha Homora and IronBank was the victim of a $37.5 million exploit
Recently, the DeFi Alpha Homora project encountered a bad event when a hacker successfully pulled out over $ 37 million by leveraging the Cream’s Iron Bank protocol-to-protocol lending platform.
Users can’t borrow more funds from Alpha Homora v2 = no new leveraged positions and borrow on existing positions.
V1 is safe and operational.
We’re on full alert and working with @samczsun & many trusted builders to investigate the issues thoroughly.
A post mortem to follow.
— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021
An attacker successfully drained over $ 37 million from Alpha Homora by leveraging Cream’s Iron Bank protocol-to-protocol lending platform
Alpha Finance Lab announced on Twitter this morning that they were aware of an attack, that the loophole that allowed it had been patched, and that the team had a prime suspect:
It is known that a hacker used Alpha Homora to borrow and lend many times with Iron Bank. Since then the project allows leveraged lending.
Some analysts have speculated that a faked spell is what enabled the exploit:
That contract is a faked Alpha Homora spell, Alpha Homora’s system thought it was one of their own;
That “contract” is “owned” by Alpha pic.twitter.com/5OHlWh9Mi1
— Arrundai (@arrundai) February 13, 2021
This fake spell/contract exploit conceptually echoes the evil jar attack on Pickle Finance that netted an attacker $ 20 million late last year. In both cases, the exploited protocols errantly responded to faked contracts. Shortly after the successful exploit, the attacker tipped the Alpha and Iron Bank deployers 1,000 Ethereum each, and also made a Gitcoin donation.
Cream Finance said in a statement on Twitter that the exploit Iron Bank would not affect any of their other contracts and that their currency markets were working properly:
C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal. Markets have been re-enabled across both V1 and V2.
Post mortem to follow.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
Will users be compensated in the case of protocols that cannot force hackers to return the money? Remember Yearn.Finance.
The Yearn.Finance team and MakerDAO set a precedent with “DAOs bailing out DAOs” last week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.
Although the mining size was greater than the $ 11 million endured by Yearn, some have speculated that Alpha will also print tokens to cover the loss – and some traders and institutions have decided. taste me for such dilution.
Intrepid chain activity monitors noticed that Three Arrows Capital sent over $ 3 million in ALPHA tokens to Binance this morning, possibly with the intention of selling:
Currently, ALPHA, the protocol’s administrative token is at a loss, down 20% to $ 1.94; CREAM, the administrative token of the mining-enabled protocol, dropped 16% to $ 220. Additionally, AAVE, the administrative token of the protocol miners used for an instant loan, fell by 5 % down to $ 499.
DeFi is susceptible to flash loan exploits like this. In a notable case before Christmas, the newly launched Warp Finance DeFi platform was taken for $7.7 million in stablecoins in another flash loan attack. And in one attack against crypto lending platform Compound, exploiters took home $89 million.
It’s clear, then, that more work needs to be done to prevent crypto from leaking out of the DeFi bucket.
- A Serbian National Faces Up To 20 Years In The US Prison For His Role In A $70 Million Crypto Scam Case
- It Appeared That Cream Finance Was Hacked, With 13,000 ETH Losses And CREAM Plunged About 30%