Since Alpha Homora V2 exploit, we have been on full alert working on various moving pieces. Before we go into the recap, roadmap, and looking forward parts, we’d like to highlight several points first.
- Users’ funds are safe.
- Additional debt incurred from the exploit is between Alpha Homora V2 and Cream V2.
- Alpha team is working closely with Andre Cronje and Cream team to discuss various options and will update the community then.
Breakdown of the attacker’s funds:
- 1k ETH was sent back to Alpha Homora V2 deployer
- 1k ETH was sent back to Cream V2 deployer
- 10,925 ETH at attacker's wallet address
- ~4,263,139 DAI + 3,997,921 USDC + 5,647,242 USDT → lent on Aave → deposited on Curve → now in Curve’s gauge
- 220 ETH to Tornado
- 100 ETH to GitCoin Grant
To recap for our community members, once the exploit happened:
- The loophole that made the exploit possible was quickly addressed and closed, including:
- Only EOA can call `execute` function (this was upgraded recently prior to the hack)
- Only whitelisted spells can be used
- `resolveReserve` function can only be called by the governor
- Remove borrowing and repaying functionality of sUSD and other new tokens that are not yet launched on the frontend
- Security researchers, builders from various projects, and the Alpha team worked together to investigate the exploit.
- We contacted various parties to blacklist the hacker’s address.
- We have been working with multiple parties since then to trace the hacker. More information about the exploit can be found here.
For Alpha Homora V2 users:
- Lenders can still lend and withdraw.
- Users cannot open new leveraged positions yet, as borrow is disabled.
- Current leveraged yield farmers/liquidity providers cannot borrow, but can add collateral, repay debt, harvest farmed tokens, and close positions.
- Liquidity mining activities across Alpha Homora V1 and V2 are still ongoing.
While we continue working on the various moving pieces, we make sure to also set up new security measures that all Alpha products will go through.
New security measures include, but are not limited to:
- Multiple internal reviews
- Multiple peer reviews by top developers in DeFi
- Multiple audits by industry leading security audit firms
Alpha Homora V2
As a result of the new security measures, Alpha Homora V2 will go through another audit by an industry leading audit firm. Note that Alpha Homora V2 has already been audited by Quantstamp and Peckshield. Additionally, we will conduct multiple internal reviews and get peer reviews from multiple developers in the space.
Once Alpha Homora V2 has gone through these security measures, we will then relaunch Alpha Homora V2 with a borrowing function re-enabled, more leveraged pools, and more lending assets.
While Alpha Homora V2 is going through another security audit and multiple peer reviews before we add more leveraged pools and more lending assets, Alpha team will continue to work on ALPHA tokenomics and explore new opportunities on Alpha Homora V1.
As a result of the skyrocketed growth in DeFi from $700 Million total value lock for the whole industry on January 1, 2020 to $28 Billion on January 31, 2021 (40x), the value that the attacker can get has outweighed the bug bounty any project can give.
We are taking this opportunity to come up with a new and creative way to structure bug bounty or similar programs that will be in line with the current DeFi landscape and set it as an industry standard that others can follow.
DeFi is at an inflection point to shift towards a more secure ecosystem as a whole. This requires everyone to be working together to build a more secure DeFi environment. We are confident that Alpha and DeFi communities will come out from this inflection point stronger than ever.