Share this article
DeFi Protocols Cream Finance, Alpha Exploited in Flash Loan Attack; $37.5M Lost
Alpha Finance says the "loophole" has been patched.
Updated Sep 14, 2021, 12:11 p.m. Published Feb 13, 2021, 1:52 p.m.
Make us preferred on Google
Decentralized finance protocols (DeFi) Cream Finance and Alpha Finance were victims of one of the largest flash loan attacks ever Saturday morning, resulting in a loss of funds totaling $37.5 million, according to transaction details on Etherscan.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
We are aware of a potential exploit and are looking into this. Thank you for your support as we investigate.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
Two hours later Cream Finance said its contracts were “functioning as normal” and markets had been enabled.
C.R.E.A.M. contracts and markets were investigated and found to be functioning as normal. Markets have been re-enabled across both V1 and V2.
— Cream Finance 🍦 (@CreamdotFinance) February 13, 2021
Post mortem to follow.
Alpha Finance then posted its own announcement, saying its Alpha Homora V2 product was the root cause. The company confirmed that it is working with DeFi guru Andre Cronje and Cream Finance to investigate the incident, and that the loophole had been fixed. It also said that they “have a prime suspect” in mind.
Dear Alpha community, we've been notified of an exploit on Alpha Homora V2. We're now working with @AndreCronjeTech and @CreamdotFinance together on this.
— Alpha Finance Lab (@AlphaFinanceLab) February 13, 2021
The loophole has been patched.
We're in the process of investigating the stolen fund, and have a prime suspect already.
Earlier, Cream Finance tweeted an update on the incident saying that asset borrowing from its recently launched Iron Bank lending feature had been suspended. That tweet has since been deleted.
This is the second attack on a DeFi protocol in the last two weeks. Cronje's Yearn Finance suffered an an exploit in one of its DAI lending pools, according to the decentralized finance protocol’s official Twitter account. That exploit drained $11 million.
.
