A recent report revealed that a hacker has succeeded in stealing $37.5 Million from Decentralized Finance (DeFi) projects Alpha Finance in a flash-loan attack.
Although many initially suspected that the vulnerability was found in Cream Finance, the latest finding showed that the exploit was visible in the Alpha Hormora V2 product.
This is not the first flash-loan attack, but it’s the largest ever. After the DeFi Cream Finance posted its details, indicating that the hack didn’t come from the protocol, Alpha finance posted an update on the Alpha Homora V2 as the origin of the exploit.
“Dear Alpha community, we’ve been notified of an exploit on Alpha Homora V2,” the Alpha project’s team stated.
Attack was perpetuated using a complicated process
The report about the attack revealed that it was executed by an experienced DeFi native due to the complex nature of the attack.
They borrowed sUSD using the Alpha Homora protocol, which also incorporates Cream. After borrowing the fund, they exchanged it for cySUSD by lending the funds back to Iron Bank.
In total, the perpetuators borrowed $5,647,242 worth of USDT, $3,997,921 worth of USDC, $4,263,139 worth of DAI, in addition to the 13,244 ETH borrowed.
With that, they were able to borrow the 13,244 ETH, $4,263,139 worth of DAI, $3,997,921 worth of USDC, and $5,647,242 worth of USDT. They carried out the entire transaction for 0.67 ETH, which is about $1,274.
An investigation into the incidence is ongoing
Alpha Finance has confirmed that investigation about the incident has already begun, and the vulnerability has been fixed to prevent further exploitation.
The project’s team also said it has a key suspect in mind, although no further detail was provided.
The team also announced that it has temporarily stopped borrowing from Alpha Hormora V2 until the situation is resolved.
The transaction notification on Etherscan showed that the bulk of the stolen funds was from a loan of 13,244 ETH.
Native tokens shed price
According to the report, the culprits seem to have sent 1,000 ETH to both Cream Finance deployer and Alpha Finance Lab deployer. They also seem to have sent some ETH through Tomato.cash, a privacy system that conceals the transaction history of Ethereum users.
Following the news about the hack, both native tokens have both dropped in prices, with Alpha more affected. As of the time of writing, the token is trading at $1.82, which is a 22% drop in price.
$37.5 Million stolen from Alpha Finance in another DeFi attack