Alpha Homora loses $37 million following Iron Bank exploit


Related articles

In one of many largest exploits of the DeFi period, this morning an attacker efficiently drained over $37 million from Alpha Homora by leveraging Cream’s Iron Financial institution protocol-to-protocol lending platform. 

Alpha Finance Lab, whose protocol was audited by Quantstamp and Peckshield, introduced on Twitter this morning that they have been conscious of an assault, that the “loophole” that allowed it had been patched, and that the workforce had a “prime suspect”:

The transaction from the exploit is notably complex. The attacker used Alpha Homora to borrow and lend repeatedly with Iron Financial institution, which permits for leveraged lending. Some analysts have speculated {that a} faked “spell” (Alpha’s branded time period for a wise contract) is what enabled the exploit:

This “faux spell/contract” exploit conceptually echoes the “evil jar” attack on Pickle Finance that netted an attacker $20 million late final yr. In each instances, the exploited protocols errantly responded to faked contracts. 

Shortly after the profitable exploit, the attacker “tipped” the Alpha and Iron Financial institution deployers 1,000 Ether every, and likewise made a Gitcoin donation.

Cream Finance mentioned in an announcement on Twitter that the Iron Financial institution exploit didn’t influence any of their different contracts, and that their cash markets have been functioning usually:

Protocol Bailout?

The query now turns to how customers shall be compensated within the occasion the protocols can’t stress their “prime suspect” into returning the funds. 

The Yearn.Finance workforce and MakerDAO set a precedent with “DAOs bailing out DAOs” final week when MakerDAO allowed for the creation of a custom-built collateralized debt position from Yearn’s newly-minted treasury.

Whereas the scale of the exploit is bigger than the $11 million Yearn suffered, some have speculated that Alpha will likewise print tokens to cowl the loss — and a few merchants and establishments have already positioned themselves for such a dilution.

Intrepid chain exercise displays observed that Three Arrows Capital despatched over $3 million in ALPHA tokens to Binance this morning, probably with the intention of promoting:

At present, ALPHA, the governance token of the protocol which suffered the losses, is down 20% to $1.83; CREAM, the governance token of the protocol that enabled the exploit, is down 16% to $222; AAVE, the governance token of the protocol that the exploiter used for a flash mortgage, is down 2% to $505.