- DeFi protocols Cream Finance and Alpha Finance have been linked to a major attack.
- The attacker took over $37.5 million through a multi-step process involving a series of flash loans. They’ve started distributing the funds to various locations.
- Alpha Finance appears to be the root cause of the exploit. Both teams say that they’re investigating, with post-mortems to follow.
An attacker targeted DeFi protocol Alpha Finance for a sum of $37.5 million earlier this morning. The exploit was found in the protocol’s Alpha Homora V2 product—not Cream Finance, as many suspected.
Another DeFi Exploit
The DeFi space has suffered yet another attack.
This time, it involved Alpha Finance. Though full details are yet to surface, it appears that the exploit affected the protocol’s Alpha Homora V2 product.
Initially, members of the DeFi community pointed to Cream Finance as the root cause of the incident, though the Cream team confirmed that its contracts were “functioning as normal.” Alpha Homora integrates Cream, which led to confusion.
Alpha Finance then posted their own announcement, pointing to the Alpha Homora V2 product as the exploit’s origin. They confirmed that they’re working with Andre Cronje and Cream Finance to investigate the incident, and that the loophole had been fixed. They also said that they “have a prime suspect” in mind.
Borrowing from Alpha Homora V2 has also been paused.
An Etherscan transaction shows that the attack was worth over $37.5 million. A large chunk of that sum was a loan of 13,244 ETH.
A trail of activity shows that they sent some ETH through Tornado.cash, a privacy solution that helps Ethereum users conceal their transaction history. They also appear to have sent 1,000 ETH to both the Alpha Finance Lab deployer and Cream Finance deployer.
The attack was carried out through a complex multi-step process that suggests the perpetrator was an experienced DeFi native. They used the Alpha Homora protocol, which integrates Cream, to borrow sUSD. They then lent these funds back to Iron Bank to receive cySUSD. They also took out large flash loans from Aave to increase their cySUSD holdings. With that, they were able to borrow the 13,244 ETH, $4,263,139 worth of DAI, $3,997,921 worth of USDC, and $5,647,242 worth of USDT.
They deposited some funds to Aave, 1,000 ETH to Iron Bank and Alpha Homora, and sent 320 ETH to Tornado.cash. That leaves just under 10,925 ETH in their wallet, worth roughly $20 million. Their funds can be viewed on Etherscan. They did it all for a transaction fee of 0.67 ETH, around $1,274.
The native tokens of both Cream Finance and Alpha Finance have tanked following the news. ALPHA has been particularly hard hit—it’s down 22% at the time of writing, trading at $1.82.
Full details surrounding the attack are yet to emerge. Both Cream Finance and Alpha Finance have confirmed that they’ll share post-mortem reports soon.
Alpha Finance is one of DeFi’s leading protocols, alongside Cream Finance. The attack is yet another case study that shows DeFi is still in its nascent stages. As such, experimenting with this technology is highly risky.
Editor’s note: This is a developing story. More updates will be posted as they come.
Disclosure: At the time of writing, the author of this story owned ETH and ALPHA.
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
Source: Read Full Article