defirisk.co
rubric v1.7.0

Alpha Finance / Alpha Homora V2 (leveraged yield farming): Debt accounting manipulation via rounding bug + public `resolveReserve` function + custom "evil spell"; insider knowledge of unannounced sUSD pool required

Alpha Homora V2 lost $37.5M when an attacker with apparent insider knowledge used a rounding bug and a public fee-collection function to create exponentially inflating fake debt, then borrowed $37.5M in real assets across a 13-step attack.

Occurred 2021-02-13 Loss $38M Status closed

Summary #

Alpha Finance / Alpha Homora V2 (leveraged yield farming) suffered a Leveraged Yield Farming / Lending on 2021-02-13, resulting in a loss of approximately $38M.

What happened #

Alpha Homora V2 lost $37.5M when an attacker with apparent insider knowledge used a rounding bug and a public fee-collection function to create exponentially inflating fake debt, then borrowed $37.5M in real assets across a 13-step attack.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program]
  • RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — SBF withdrew $400M FTT from Cream Finance; Three Arrows Capital sent $3M ALPHA to Binance shortly after the exploit broke publicly (like...] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability rating: Low] || Low detectability — alternate field name [via realtime_signals/Detectability rating: Low]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — HomoraBankV2 with sUSD pool was newly deployed and not yet publicly accessible]