Alpha Finance loses $37.5 million following a sophisticated exploit.

On 13th February, one of the largest exploits in Defi's history was carried out.

The attacker carried out a planned and complex attack, with multiples transactions, using flashloans with Cream's Iron Bank protocol to protocol lending platform.

The market had picked up on an unusual transaction, and within 10 minutes, owners of $CREAM started panic selling, causing the token's value to substantially drop by 30%.

Cream Chart

The root of the exploit left the community somewhat confused, as they initially thought that the exploit was coming from Cream Finance. However, after a thorough investigation, the team at Cream Finance announced that protocol was functioning as normal.

An outline of the attack

The attacker was the only user who was in the sUSD pool for Alpha HomoraV2. The attacker borrowed ETH from Cream’s Ironbank and the sUSD as collateral. The attacker then repayed the debt accrued from borrowing the sUSD, however, due to a borrowing error caused by a rounding miscalculation, he was able to profit a very small amount.

This method was then re-executed multiple times, where the profit exceeded well into the 7 figure range.

The amount of debt has not repaid back to Cream Finance, which has left Alpha Finance in a substantial amount of debt. Alpha has been negotiating a remedial solution with Cream.

The funds were washed through Tornado and it appears that the attacker made a donation - possibly as a gesture of goodwill - for 1000 ETH to Alpha and Cream.

Was it an inside job?

Alpha had been audited twice by Peckshield and Quantstamp. It took several teams and several hours to find the cause of the exploit. There was some speculation that a faked 'spell' (Alpha's own term for a smart contract) was used to carry out the attack. There are some similarities to the fake pickle jar attack on Pickle Finance last year.

A post-mortem of the attack highlights that the attacker would have needed to know specific information:

1. HomoraBankv2 has an sUSD pool on a contract level in preparation for the upcoming release, which is neither available on the UI nor publicly announced.
2. There was no liquidity in sUSD lending pool, so the attacker can fully manipulate and inflate the total debt amount and total debt share.
3. There is a rounding miscalculation in the borrow function calculation, which only affects when the attacker is the sole borrower.
4. resolveReserve function can increase totalDebt without increasing totalDebtShare and the function, intended for collecting revenue to the reserve pool, can indeed be called by anyone.
5. HomoraBankv2 accepts any custom spell, as long as the invariant checks out that collateral is greater than borrow amount (a spell is similar to a strategy in Yearn).

A new risk

The use of fake contracts is seemingly a new type of risk in Defi. As far as we are aware, currently no security standards exist in this area and it may be that additional standards will need to be developed and tested in order to mitigate these risks.