Cyber Incident Victim: Alpha Finance Lab
Date:
Feb 2021
Location:
Singapore
Summary
Alpha Homora V2 suffered a $37 million exploit involving Cream Finance's Iron Bank lending platform, where an attacker utilized a faked smart contract ("spell") to manipulate leveraged borrowing and lending mechanisms. The loophole was subsequently patched, and a prime suspect was identified, while the attacker donated portions of stolen funds to protocol deployers and Gitcoin. Cream Finance confirmed its other contracts remained unaffected. The incident triggered significant token price declines, with ALPHA and CREAM governance tokens dropping 20% and 16% respectively, alongside speculation about potential compensation mechanisms for affected users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 13, 2021, Alpha Homora V2 suffered an exploit resulting in a loss of $37 million, one of the largest decentralized finance (DeFi) breaches at the time. The attack leveraged Cream Finance’s Iron Bank protocol-to-protocol lending platform, which enabled leveraged lending. The attacker executed a complex transaction involving repeated borrowing and lending through Iron Bank, utilizing a faked smart contract—termed a "spell" in Alpha’s terminology—that Alpha Homora’s system erroneously recognized as legitimate. This method drew parallels to the "evil jar" attack on Pickle Finance in late 2020, where protocols interacted with maliciously spoofed contracts. Alpha Finance Lab confirmed awareness of the exploit within hours, collaborating with Cream Finance and Andre Cronje to patch the loophole. They announced having identified a "prime suspect" but did not disclose further investigative details. The attacker subsequently sent 1,000 Ether each to the Alpha and Iron Bank deployer addresses and made a Gitcoin donation, actions interpreted as symbolic gestures. Cream Finance separately confirmed its other contracts and markets remained unaffected, reactivating services after verification.
The incident triggered immediate market repercussions, with Alpha’s governance token (ALPHA) declining 20% to $1.83 and Cream’s token (CREAM) falling 16% to $222. AAVE, whose flash loan mechanism the exploiter utilized, saw a 2% drop to $505. Three Arrows Capital transferred over $3 million worth of ALPHA tokens to Binance shortly after the breach, signaling potential sell-off intentions. Discussions emerged regarding user compensation, referencing the recent precedent set by Yearn.Finance and MakerDAO, where MakerDAO created a custom collateralized debt position to address Yearn’s $11 million loss. Analysts speculated Alpha might similarly mint new tokens to cover losses, though no formal plan was confirmed at the time. The exploit underscored systemic vulnerabilities in cross-protocol interactions within DeFi, particularly around contract authentication and leveraged lending mechanisms.