On June 17, 2021, the Alchemix DeFi project experienced what is being called a “reverse rug pull.” Typically, a rug pull is when the creators of a token suddenly sell off all of their holdings, which causes the value of the token to plummet at the users’ expense. In this case, it was the users that had the ability to extract value that they should not have been able to access.
What Happened?
This incident impacted the Alchemix alETH vault. A flaw in the deployment script of this vault accidentally created additional vaults (which were not supposed to exist) and placed them in the array of vaults.
The Alchemist contract accidentally used the incorrect index into this vault array when calculating reward values. This caused transmuter funds (i.e. rewards) to be sent to pay off debts within the alETH vault instead of going to the correct user.
With their debts paid off, the users of these vaults were able to withdraw the collateral for their loans without paying off the loans themselves. This resulted in the extraction of $6.5 million from the protocol.
Preventing Future Incidents
This reverse rug pull incident was caused by a couple of different errors in the Alchemix project. The deployment script created vaults that should not have existed, and the Alchemist contract used the incorrect vault index to allocate rewards.
While the project previously underwent a smart contract audit, these issues were overlooked. Additional audits may have detected this and other exploitable issues within the Alchemix project.