Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
The DeFi lending agreement Alchemix alETH pool is suspected to have a loophole, and users can raise collateralized ETH when they have outstanding alETH debts. Alchemix released an alETH pool accident report stating that due to an error in the deployment of the alETH pool script, users have borrowed alETH at a 4:1 mortgage ratio but have no debt to be repaid, and the debt ceiling of nearly 2000 ETH has been released and new ones can be minted again. alETH, combined with Alchemix's use of the wrong index in the vault array, forced the transmuter to support the agreement mechanism to completely send the funds to repay the user's debt. The team has stopped the mortgage lending of the pool. As of the time of the report, alETH currently has a gap of -2,688.634, which is about 6.53 million U.S. dollars. Alchemix stated that there was no loss of user funds, and Yearn did not suffer any loss. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 6,530,000.
- chain
- —
- protocol
- Alchemix
- bug_class
- logic
- date_occurred
- 2021-06-16
- loss_usd
- $6,530,000
- source_id
- sm:alchemix::2021-06-16