The Alpha Finance Lab team has released a post-mortem of the exploit event yesterday, as well as an update on the ongoing investigation.
The exploit involved another DeFi project, Alpha Finance Lab. Alpha released a post-mortem explaining exactly how the hacker was able to use the exploit.
Also, the ALPHA Team pointed out that user funds remain safe. They were quick to patch the issue and suspend the use of the product in question pending an investigation.
They also stated that an investigation is in gear involving the CREAM Finance team and Yearn Finance developer Andre Cronje. The joint effort aims to find a remedy for the exploit, as well as identify the attacker.
The Alpha Post-Mortem
According to the post-mortem, the exploit involved two specific products from the platforms. These were CREAM Finance’s Iron Bank and the recently launched Alpha Homora V2.
In nine transactions, the hacker created a number of loans from HomoraBankV2, depositing the borrowed funds to CREAM’s Iron Bank.
These loans made use of an “evil spell” (similar to a “strategy” in a Yearn Vault), to call a sUSD pool that exists at the contract level on HomoraBankV2.
The post-mortem points out the ALPHA team placed the sUSD pool on the HomoraBankV2 contract in preparation for an upcoming release. Information on this contract was not publicly available, nor is it accessible through the user interface.
This suggests the hacker possessed a degree of inside knowledge in order to carry out the attack.
The Future of ‘Test in Prod”
While user funds remain safe in this case (with the debt being between HomoraBankV2 and the Iron Bank), questions have been made about several approaches taken by the ALPHA team.
Firstly, critics of the testing “in prod” approach to DeFi development, renewed calls for proper testing before teams release to the public. This prevents damage to the space’s image and promotes safe development, they say.
Moreover, with the ALPHA team already facing accusations of centralization, even the suspicion that an insider could be involved is worrying.
Whatever happens in the next few days, the exploit is likely to prove a set back for a project that experienced a surge in popularity last month.