Discreet cryptocurrency exchange, crypto resources & latest market headlines.

One hack to bring down a whole market, Feb 10–17


Cointelegraph By Andrey Shevchenko

Finance Redefined is Cointelegraph’s DeFi-centric newsletter, delivered to subscribers every Wednesday.

The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week.

Related articles

It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks like Harvest Finance, this doesn’t seem to have been a purely economic exploit.

News of the hack had a very negative impact on prices for all the protocols involved in the hack, including Aave for some reason. Looking more generally at the DeFi Perp on FTX, there is a clear peak right on Feb. 13 when the hack happened.

FTX’s DeFi index, courtesy of TradingView.

Perhaps some of that is just normal market action, but overall it’s looking as if the hack single-handedly put an end to the DeFi season, for now.

Auditors feeling the heat

As any protocol reaching any kind of mass adoption today, Alpha Homora was audited by Quantstamp and PeckShield, both of them skilled and respectable firms.

Yet, the details of the hack led some to suspect it was an inside job, potentially by someone at these auditing firms. Yearn.finance core developer Banteg mentioned how the details of the hack were so obscure that it was extremely unlikely anyone figured it out just by looking at the contracts. Notably, the pool attacked by the hacker was unannounced and unused, which is what allowed the hack to occur in the first place.

While there were no public accusations, the incident triggered yet another discussion of why auditors failed to catch the bug, whether they are properly incentivized, and how this situation can be mitigated.