ALPHA Team Releases Post-Mortem

Share Article
In Brief
  • A post-mortem and update have been released following an attack on a CREAM Finance product yesterday.

  • The exploit, which made use of a product developed by Alpha Finance Lab, saw ~$38 million stolen.

  • The events put more pressure on the "Test in Prod" approach to development in the DeFi space.

  • promo

    BIT Launchpad: Up To 3,500 FREE BIT. Don’t Miss The Beat. Join Now!

The Trust Project is an international consortium of news organizations building standards of transparency.

The Alpha Finance Lab team has released a post-mortem of the exploit event yesterday, as well as an update on the ongoing investigation.

Sponsored



Sponsored

Yesterday, rising Decentralized Finance (DeFi) platform CREAM experienced an exploit that resulted in a hacker running off with $37.5 million.

The exploit involved another DeFi project, Alpha Finance Lab. Alpha released a post-mortem explaining exactly how the hacker was able to use the exploit.

Sponsored



Sponsored

Also, the ALPHA Team pointed out that user funds remain safe. They were quick to patch the issue and suspend the use of the product in question pending an investigation.

They also stated that an investigation is in gear involving the CREAM Finance team and Yearn Finance developer Andre Cronje. The joint effort aims to find a remedy for the exploit, as well as identify the attacker.

The Alpha Post-Mortem

According to the post-mortem, the exploit involved two specific products from the platforms. These were CREAM Finance’s Iron Bank and the recently launched Alpha Homora V2.

In nine transactions, the hacker created a number of loans from HomoraBankV2, depositing the borrowed funds to CREAM’s Iron Bank.

These loans made use of an “evil spell” (similar to a “strategy” in a Yearn Vault), to call a sUSD pool that exists at the contract level on HomoraBankV2.

The post-mortem points out the ALPHA team placed the sUSD pool on the HomoraBankV2 contract in preparation for an upcoming release. Information on this contract was not publicly available, nor is it accessible through the user interface.

This suggests the hacker possessed a degree of inside knowledge in order to carry out the attack.

The Future of ‘Test in Prod”

While user funds remain safe in this case (with the debt being between HomoraBankV2 and the Iron Bank), questions have been made about several approaches taken by the ALPHA team.

Firstly, critics of the testing “in prod” approach to DeFi development, renewed calls for proper testing before teams release to the public. This prevents damage to the space’s image and promotes safe development, they say.

Moreover, with the ALPHA team already facing accusations of centralization, even the suspicion that an insider could be involved is worrying.

Whatever happens in the next few days, the exploit is likely to prove a set back for a project that experienced a surge in popularity last month.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Sponsored
Share Article

Emmanuel entered the cryptocurrency space in 2013 as a cryptocurrency broker. He is a crypto-enthusiast, entrepreneur, and investor, who has built and led several projects and communities in the space. He is CEO and co-founder of Provence Intelligence, a boutique crypto-consultancy firm that aims to bridge the gap between the cryptocurrency and DLT space and the traditional world. Interests include DeFi, non-blockchain DLTs, and the synthetic derivatives space.

Follow Author

Market signals, studies and analysis! Join our Telegram Today!

Go

Bit2Me ICO JUST STARTED! Buy B2M token now.

Buy now!

BIT Launchpad: Up To 3,500 FREE BIT. Don't Miss The Beat.

Join Now!