See More

ALPHA Team Releases Post-Mortem

2 mins
Updated by James Hydzik
Join our Trading Community on Telegram

In Brief

  • A post-mortem and update have been released following an attack on a CREAM Finance product yesterday.
  • The exploit, which made use of a product developed by Alpha Finance Lab, saw ~$38 million stolen.
  • The events put more pressure on the "Test in Prod" approach to development in the DeFi space.
  • promo

The Alpha Finance Lab team has released a post-mortem of the exploit event yesterday, as well as an update on the ongoing investigation.

Yesterday, rising Decentralized Finance (DeFi) platform CREAM experienced an exploit that resulted in a hacker running off with $37.5 million.

The exploit involved another DeFi project, Alpha Finance Lab. Alpha released a post-mortem explaining exactly how the hacker was able to use the exploit.

Also, the ALPHA Team pointed out that user funds remain safe. They were quick to patch the issue and suspend the use of the product in question pending an investigation.

They also stated that an investigation is in gear involving the CREAM Finance team and Yearn Finance developer Andre Cronje. The joint effort aims to find a remedy for the exploit, as well as identify the attacker.

The Alpha Post-Mortem

According to the post-mortem, the exploit involved two specific products from the platforms. These were CREAM Finance’s Iron Bank and the recently launched Alpha Homora V2.

In nine transactions, the hacker created a number of loans from HomoraBankV2, depositing the borrowed funds to CREAM’s Iron Bank.

These loans made use of an “evil spell” (similar to a “strategy” in a Yearn Vault), to call a sUSD pool that exists at the contract level on HomoraBankV2.

The post-mortem points out the ALPHA team placed the sUSD pool on the HomoraBankV2 contract in preparation for an upcoming release. Information on this contract was not publicly available, nor is it accessible through the user interface.

This suggests the hacker possessed a degree of inside knowledge in order to carry out the attack.

The Future of ‘Test in Prod”

While user funds remain safe in this case (with the debt being between HomoraBankV2 and the Iron Bank), questions have been made about several approaches taken by the ALPHA team.

Firstly, critics of the testing “in prod” approach to DeFi development, renewed calls for proper testing before teams release to the public. This prevents damage to the space’s image and promotes safe development, they say.

Moreover, with the ALPHA team already facing accusations of centralization, even the suspicion that an insider could be involved is worrying.

Whatever happens in the next few days, the exploit is likely to prove a set back for a project that experienced a surge in popularity last month.

Top crypto platforms in the US | March 2024
Coinbase Coinbase Explore →
AlgosOne AlgosOne Explore →
Chain GPT Chain GPT Explore →
iTrustCapital iTrustCapital Explore →

Trusted

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

photo_Emmanuel_Young.jpg
Emmanuel Young
Emmanuel entered the cryptocurrency space in 2013 as a cryptocurrency broker. He is a crypto-enthusiast, entrepreneur, and investor, who has built and led several projects and communities in the space. He is CEO and co-founder of Provence Intelligence, a boutique crypto-consultancy firm that aims to bridge the gap between the cryptocurrency and DLT space and the traditional world. Interests include DeFi, non-blockchain DLTs, and the synthetic derivatives space.
READ FULL BIO
Sponsored
Sponsored