Alpha Finance suffered a Flash Loan Attack: $37.5 Million Exploited

Alpha Finance suffered a Flash Loan Attack: $37.5 Million Exploited

February 13, 2021
Attack Types: 
Smart Contract Exploit ,Flash Loan Attack
Entity Types: 
DeFi ,Yield Aggregator
Target Entities: 
Alpha Homora ,Iron Bank

Summary #

On February 13, 2021, Alpha Finance, a DeFi project, suffered a hack that resulted in a $37.5 million loss. The attacker exploited a rounding error in the repayment process, accumulating a substantial amount of cySUSD. They used this to obtain loans in different assets and distributed the stolen Ether. Iron Bank responded by modifying the smart contract configuration, freezing funds and preventing lenders on Alpha Homora from withdrawing their liquidity. Depositors ceased negotiations, received goodwill funds from Alpha Homora, and are pursuing legal action against Iron Bank.

Attackers #

The identity of the attackers remains unknown. The attack was performed using the address 0x905315602Ed9a854e325F692FF82F58799BEaB57.

Losses #

The Alpha Finance DeFi hack resulted in financial losses, with $37.5 million extracted from the project. The stolen funds were distributed among various destinations as follows:

  • Iron Bank: 1,000 ETH
  • Alpha Homora: 1,000 ETH
  • Tornado.cash: 320 ETH
  • Attacker’s wallet: 10,925 ETH (worth roughly $20 million)

Timeline #

  • February 13, 2021 05:37 AM +UTC: The attacker borrowed 1,000e^(18) sUSD from HomoraBankv2, utilizing UNI-WETH LP as collateral. During repayment, the attacker exploited a rounding error in the protocol, paying slightly less than the owed amount.

  • February 13, 2021, 09:51 AM +UTC: Cream Finance made an announcement regarding the hack.

  • February 13, 2021, 10:33 PM +UTC: Alpha Finance promptly responded to the hack by fixing security issues, implementing restrictions, and limiting token options.

  • February 21, 2021, 02:48:54 AM +UTC: An agreement is reached between Alpha Homora V2 (Alpha Finance Lab) and CREAM V2 (CREAM) regarding the amount of funds and repayment mechanics.

  • March 1, 2023, 12:54:47 PM +UTC: Iron Bank (IB) unilaterally modified the smart contract configuration, freezing Alpha Homora (AH) lenders’ funds.

  • May 23, 2023: Depositors plan to stop negotiating, accept goodwill funds, and take legal action against IB.

Security Failure Causes #

  • Loophole in Custom Functionality: The Alpha Homora v2 contract had a vulnerability that allowed the use of custom functionality without adequate checks, creating an opportunity for the attacker to exploit the system.
  • Rounding Error Exploitation: The attacker took advantage of a rounding error in the protocol during repayment, resulting in a manipulated debt and borrow share.
  • Insufficient Validation and Access Controls: The lack of strict validation checks and access controls for custom functionality and critical functions allowed unauthorized manipulation of the protocol.
Calendar July 12, 2024
Edit Edit this page