Alpha Finance Exploited in $37.5 Million Attack
An attacker has targeted the DeFi protocol Alpha Finance, netting $37.5 million in the process.
- DeFi protocols Cream Finance and Alpha Finance have been linked to a major attack.
- The attacker took over $37.5 million through a multi-step process involving a series of flash loans. They've started distributing the funds to various locations.
- Alpha Finance appears to be the root cause of the exploit. Both teams say that they're investigating, with post-mortems to follow.
Share this article
An attacker targeted DeFi protocol Alpha Finance for a sum of $37.5 million earlier this morning. The exploit was found in the protocol’s Alpha Homora V2 product—not Cream Finance, as many suspected.
Another DeFi Exploit
The DeFi space has suffered yet another attack.
This time, it involved Alpha Finance. Though full details are yet to surface, it appears that the exploit affected the protocol’s Alpha Homora V2 product.
Initially, members of the DeFi community pointed to Cream Finance as the root cause of the incident, though the Cream team confirmed that its contracts were “functioning as normal.” Alpha Homora integrates Cream, which led to confusion.
Alpha Finance then posted their own announcement, pointing to the Alpha Homora V2 product as the exploit’s origin. They confirmed that they’re working with Andre Cronje and Cream Finance to investigate the incident, and that the loophole had been fixed. They also said that they “have a prime suspect” in mind.
Dear Alpha community, we've been notified of an exploit on Alpha Homora V2. We're now working with @AndreCronjeTech and @CreamdotFinance together on this.
The loophole has been patched.
We're in the process of investigating the stolen fund, and have a prime suspect already.
— Alpha Venture DAO (Previously Alpha Finance Lab) (@AlphaVentureDAO) February 13, 2021
Borrowing from Alpha Homora V2 has also been paused.
An Etherscan transaction shows that the attack was worth over $37.5 million. A large chunk of that sum was a loan of 13,244 ETH.
A trail of activity shows that they sent some ETH through Tornado.cash, a privacy solution that helps Ethereum users conceal their transaction history. They also appear to have sent 1,000 ETH to both the Alpha Finance Lab deployer and Cream Finance deployer.
The attack was carried out through a complex multi-step process that suggests the perpetrator was an experienced DeFi native. They used the Alpha Homora protocol, which integrates Cream, to borrow sUSD. They then lent these funds back to Iron Bank to receive cySUSD. They also took out large flash loans from Aave to increase their cySUSD holdings. With that, they were able to borrow the 13,244 ETH, $4,263,139 worth of DAI, $3,997,921 worth of USDC, and $5,647,242 worth of USDT.
They deposited some funds to Aave, 1,000 ETH to Iron Bank and Alpha Homora, and sent 320 ETH to Tornado.cash. That leaves just under 10,925 ETH in their wallet, worth roughly $20 million. Their funds can be viewed on Etherscan. They did it all for a transaction fee of 0.67 ETH, around $1,274.
The native tokens of both Cream Finance and Alpha Finance have tanked following the news. ALPHA has been particularly hard hit—it’s down 22% at the time of writing, trading at $1.82.
Full details surrounding the attack are yet to emerge. Both Cream Finance and Alpha Finance have confirmed that they’ll share post-mortem reports soon.
Alpha Finance is one of DeFi’s leading protocols, alongside Cream Finance. The attack is yet another case study that shows DeFi is still in its nascent stages. As such, experimenting with this technology is highly risky.
Editor’s note: This is a developing story. More updates will be posted as they come.
Disclosure: At the time of writing, the author of this story owned ETH, ALPHA, and AAVE.