Alchemix: Logic bug in alETH collateral accounting — ETH collateral position assigned zero debt → users could withdraw collateral without repaying loan
Alchemix's new alETH feature had a debt accounting bug that accidentally gave users free money — ~2,700 ETH in undercollateralization, then the team publicly asked users to give it back, and remarkably, many did.
Summary #
Alchemix suffered a Yield-Backed Loan / Self-Repaying Loan Protocol on 2021-06-16, resulting in a loss of approximately $5.
What happened #
Alchemix's new alETH feature had a debt accounting bug that accidentally gave users free money — ~2,700 ETH in undercollateralization, then the team publicly asked users to give it back, and remarkably, many did.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — alETH was a new feature extension; the debt accounting bug was in new, possibly unaudited code]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: New feature code — likely unaudited or insufficiently reviewed]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — alETH collateral type was newly deployed]
- RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early (Y/N): Y — ETH collateral being withdrawn without corresponding debt repayment would be detectable]