Explained: The Alpha Homora DeFi Hack (Feb 2021)

HomoraBankv2 allows the use of any custom “spell”, which is similar to a Yearn strategy (a special type of smart contract).  The only check is that the collateral used in a loan is greater than the borrowed amount.  In this case, the attacker used a custom malicious spell (address 0x560a8e3b79d23b0a525e15c6f3486c6a293ddad2) to perform the attack.  With this custom spell, the attacker was able to perform a multi-stage attack.

In the first stage of the attack, the attacker borrowed 1,000e¹⁸ sUSD from HomoraBankv2 using UNI-WETH LP (previously received from Uniswap pool in this transaction) as collateral.

When the debt was paid back in a later transaction, the attacker owed 1000.000098548938710984 sUSD (due to interest) but only paid 1000.000098548938710983 sUSD, exploiting a rounding error in the protocol.  After this occurs, the attacker called resolveReserve on the sUSD bank to create a debt of 19709787742197 and leaving the total borrow share at 1.

The image above shows how the attacker used this borrow share.  At each stage, the attacker borrows one less minisUSD than the current total debt (which doubles with each borrow).  Since the attacker has a single borrow share, this equates to a zero borrow share, so the protocol treats it as no-debt borrowing.  At the end of the transaction, the attacker deposits the 19.54 sUSD that they’ve managed to build up into Cream’s Iron Bank.  Then, the attacker repeats the process in another transaction.  This deposited sUSD is eventually used as collateral for a loan of USDC for use later in the attack.

Next, the attacker builds a hoard of cySUSD over multiple transactions.  The transaction below is an example of one of these.

In this transaction, the attacker takes out a loan of 10M USDC from Aave and immediately sends it to Alpha Homora (which uses Curve), allowing them to extract sUSD.  This sUSD is sent to Iron Bank (Cream), enabling the attacker to extract cySUSD.  By repeatedly borrowing sUSD from Alpha Homora and loaning it to Iron Bank, the attacker is able to build up a hoard of cySUSD.  In the end, the USDC lent to Alpha Homora is returned and then the initial flash loan from Aave is repaid.

After completing multiple transactions like the one above, the attacker has accumulated a large hoard of cySUSD.

This hoard of cySUSD enabled the attacker to borrow the following (as shown above):

• 13.2k WETH
• 3.6M USDC
• 5.6M USDT
• 4.2M DAI

Of these the USDC, USDT, and DAI were all deposited to Aave as shown above to get aTokens.  These tokens were then deposited to Curve’s a3Crv pool, which are added to Curve’s liquidity gauge.

The 13.2k Ether that the attacker extracted was distributed to a number of different places as shown in the image above:

• 1,000 ETH to Iron Bank
• 1,000 ETH to Alpha Homora
• 320 ETH to Tornado.cash
• 10,925 ETH retained in wallet

At the end of the day, the Alpha Homora attacker was able to make approximately $37.5 million by exploiting the vulnerable contract.

The attack against Alpha Homora exploited a few main security issues:

• Rounding error in borrow code
• Allowance for use of custom spells
• Public access to resolveReserve function

In the wake of the attack, the Alpha Finance team has resolved these issues and limited buying and repayment to four tokens (ETH, DAI, USDC, and USDT).  These corrections are designed to prevent a similar attack from occurring in the future.  The team at Alpha Finance is also working to freeze the remaining assets on cryptocurrency exchanges, blocking the attacker from getting away with the stolen money.

Find out how you can prevent a cyber attack on your blockchain company by reaching out to a Halborn rep today at halborn@protonmail.com.