An attacker targeted DeFi protocols Cream Finance and Alpha Finance for a sum of $37.5 million earlier this morning.
Another DeFi Exploit
The DeFi space has suffered yet another attack.
This time, the DeFi protocols Cream Finance and Alpha Finance were affected. Though full details are yet to surface, it appears that the exploit was in Alpha Finance’s smart contracts.
The Cream team confirmed that it was investigating “a potential exploit” on Twitter earlier this morning, then went on to say that its contracts were “functioning as normal.”
Alpha Finance then posted their own announcement, pointing to the Alpha Homora V2 product as the root cause. They confirmed that they’re working with Andre Cronje and Cream Finance to investigate the incident, and that the loophole had been fixed. They also said that they “have a prime suspect” in mind.
Dear Alpha community, we’ve been notified of an exploit on Alpha Homora V2. We’re now working with @AndreCronjeTech and @CreamdotFinance together on this.
The loophole has been patched.
We’re in the process of investigating the stolen fund, and have a prime suspect already.
— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021
Borrowing from Alpha Homora V2 has also been paused.
An Etherscan transaction shows that the attack was worth over $37.5 million. A large chunk of that sum was a loan of 13,244 ETH.
A trail of activity shows that they sent some ETH through Tornado.cash, a privacy solution that helps Ethereum users conceal their transaction history. They also appear to have sent 1,000 ETH to both the Alpha Finance Lab deployer and Cream Finance deployer.
The attack was carried out through a complex multi-step process that suggests the perpetrator was an experienced DeFi native. They used the Alpha Homora protocol, which integrates Cream, to borrow sUSD. They then lent these funds back to Iron Bank to receive cySUSD. They also took out large flash loans from Aave to increase their cySUSD holdings. With that, they were able to borrow the 13,244 ETH, $4,263,139 worth of DAI, $3,997,921 worth of USDC, and $5,647,242 worth of USDT.
They deposited some funds to Aave, 1,000 ETH to Iron Bank and Alpha Homora, and 320 ETH was sent to Tornado.cash. That leaves just under 10,925 ETH in their wallet, worth roughly $20 million. Their funds can be viewed on Etherscan. They did it all for a transaction fee of 0.67 ETH, around $1,274.
The native tokens of both Cream Finance and Alpha Finance have tanked following the news. ALPHA has been particularly hard hit—it’s down 22.6% at the time of writing, trading at $1.78.
Full details surrounding the attack are yet to emerge. Both Cream Finance and Alpha Finance have confirmed that they’ll share “post-mortem” reports soon.
It’s yet another case study that shows DeFi is still in its nascent stages. As such, experimenting with this technology is highly risky.
Editor’s note: This is a developing story. More updates will be posted as they come.
Disclosure: At the time of writing, the author of this story owned ETH and ALPHA.
——————–
By: Chris Williams
Title: Cream Finance Drained of $37.5 Million in Major Exploit
Sourced From: cryptobriefing.com/cream-finance-drained-of-37-5-million-in-major-exploit/
Published Date: Sat, 13 Feb 2021 09:30:03 +0000
