Alpha Homora V2 Exploit Post Mortem

Summary

Alpha Finance’s Alpha Homora V2, our Iron Bank partner, was exploited by an attacker this past weekend. This event resulted in a loss of approximately ~$38M USD to the attacker. The additional debt accrued from the exploit is for Alpha Homora V2 to repay The Iron Bank, AKA C.R.E.A.M. V2. User funds are safe. The Iron Bank lending markets were briefly paused while the C.R.E.A.M. team investigated the exploit. As soon as Iron Bank smart contracts and markets were found to be functioning normally, the team quickly re-enabled these markets.

C.R.E.A.M. V1 markets on Ethereum and Binance Smart Chain were not impacted as they are separate liquidity pools from The Iron Bank. The large drop of TVL reported was due to ~$400-million worth of FTT tokens that were withdrawn from C.R.E.A.M. V1 by the owner.

What Happened?

On Feb 13 5:37AM UTC, an attacker exploited Alpha Homora V2’s sUSD pool, borrowing ETH, DAI, USDC, USDT from the Iron Bank and exiting these funds to Tornado Cash and the Curve Aave pool.

For a more detailed description of the exploit, please refer to Alpha’s post mortem here, or Kerman Kohli’s analysis here.

Reacting to the fear that an exploit may have impacted C.R.E.A.M. V1 lenders and borrowers, around $400M of $FTT collateral was pulled from the C.R.E.A.M. V1 lending pool by the owner.

C.R.E.A.M. Finance Team Response

The C.R.E.A.M. team paused supply and borrow across all markets in the Iron Bank and turned the credit limit to Alpha Homora V2 down to 0 while investigations took place. Once the Iron Bank smart contracts and markets were verified to be functioning normally, the team quickly re-enabled these markets.

This week, the team is adding additional preventative measures such as automated monitoring for abnormal activities.

C.R.E.A.M. V1 and V2 contracts completed a security audit in January — we are happy with the outcome and will share more information on this audit in a follow-up post.

How Does This Exploit Affect The Iron Bank and C.R.E.A.M. v1 Users?

For starters, it is important to highlight that C.R.E.A.M. V1 deposits are held in separate pools than the assets in the Iron Bank (Iron Bank contracts are listed here). This separation means that the exploit incident did not affect C.R.E.A.M. V1 on Ethereum or Binance Smart Chain. Learn more about the difference between V1 and V2 in the Iron Bank FAQ.

In addition, The Iron Bank has not incurred any bad debt. The Iron Bank’s uncollateralized, protocol to protocol lending is primarily based on the creditworthiness of the borrower. In this case, the borrower is Alpha Homora V2. Alpha’s loans are still outstanding and include the balance from this exploit. We believe in the creditworthiness and track record of the Alpha Finance team. We are confident that they will be able to repay the Iron Bank.

While the exploit indirectly triggered the withdrawal of hundreds of millions of deposited assets from C.R.E.A.M. V1, we believe this is a blessing in disguise as it has led to a healthier base of collateral. The majority of the assets withdrawn were approximately US$400M equivalent of FTT. Over the last few months, many in our community have voiced concerns about the ability to liquidate this amount of FTT on-chain and the risk that posed to the health of the C.R.E.A.M. platform. Given this change, C.R.E.A.M. v1 now has a more diversified asset pool, with a stronger base to build on. We plan to announce new incentives to further grow the asset base in the near future.

What Comes Next?

New borrowing will stay at 0 for Alpha Homora V2 until another audit is complete. Additional monitoring systems are in the works for the Iron Bank to better spot abnormal behavior. New criteria for whitelisting Iron Bank partners will be implemented.

Building in DeFi is hard, especially as we push new innovation quickly. The recent exploit is leading to innovations around security and monitoring practices. We remain 100% supportive of our partner Alpha Finance, and look forward to continued success together.

Iron Bank FAQ: https://docs.cream.finance/iron-bank/faq