The Alchemix decentralized finance (DeFi) protocol discovered a potential exploit and acted quickly enough with a patch before the funds disappeared.
In an incident report posted on June 16, the DeFi protocol explained how it managed to save as much as $6.5 million being lost to malicious actors.
The team tweeted the alert regarding the vulnerability in its smart contracts but worked together with developers from Yearn Finance to come up with a fix.
“There has been an incident with the Alchemix alETH contracts. Together with the fantastic team at [Yearn Finance], we have identified the error and are both working on a post-mortem and a solution to the problem. Funds are safe.”
Alchemix Finance is a future-yield-backed synthetic asset platform that gives users advances on yield farming via a synthetic token that represents a fungible claim on any underlying collateral on the protocol.
The reverse DeFi rug pull
In the post mortem, developer “n4n0” stated that some users of the Alchemix alETH vault discovered they had no outstanding debt. This was after they previously borrowed alETH (the protocol’s synthetic ETH token) at a 4:1 collateral ratio.
In addition to this, the debt ceiling of almost 2,000 ETH was freed up to mint new alETH again, he added. For a short period of time users were able to withdraw their ETH collateral with their alETH loans still outstanding. This could have resulted in a community rug pull of around $6.53 million.
The developer explained,
“Individual users could withdraw all of their ETH, and so can anyone else currently in the contract. The loss is limited to the backing of alETH only. Meaning, users were allowed to withdraw collateral they shouldn’t have been.”
Fifteen minutes after Alchemix team started looking into the issue, a pause on the mint function for alETH was executed. Alchemix confirmed that no user funds were lost from either the protocol or Yearn vaults which automatically repay the synthetic loans.
To fix the issue new Alchemix vaults will be deployed to clear out the malignant smart contract. The protocol will also temporarily increase its fees to generate additional revenue towards filling the gap. It will also add some ETH and sell some DAI from the treasury to further collateralize its alETH tokens.
ALCX token price reaction
Although the exploit was nipped in the bud, it did not prevent the protocol’s ALCX token from dumping. According to CoinGecko, ALCX has slumped 18% on the day from just under $600 to $492 at the time of press.
Like many DeFi tokens, it’s down by over 75% from its all-time high of just over $2,000 in March. Around $30 million in TVL has also left the protocol over the past 24 hours dropping it to $580 million.