Alchemix - REKT
DeFi is a volatile protoscience.
When a protocol becomes caput mortuum, doctor rekt is on hand to study the elements and document the process, including the final reaction.
The Alchemix post-mortem shows how modern-day alchemists almost succeeded at safely creating gold out of the ether.
Alchemix's initial offering allowed users to deposit DAI and take a loan in alUSD, representing the future yield generated by their deposit. Over time, the loan is repaid with the yield, and thus; the transmutation is complete.
However, when the team tried to expand their accepted collateral to include deposits of Ether, their experiment took an unexpected turn...
When the same process was implemented with ETH, (minting alETH in return), some users discovered that the protocol assigned them no debt.
Users were able to use their alETH as well as withdraw the ETH that was supposed to be locked as collateral.
After being notified that their own users were exploiting them, the Alchemix team reacted quickly, and temporarily paused the minting of new alETH while they worked to find a solution.
This reverse-rugpull has left alETH undercollateralized by ~2700 ETH, or ~$6.5M at time of writing; a debt which must now be repaid by Alchemix.
The protocol has made a public appeal to their users to return the funds and help repay the debt.
We spoke to Alchemix co-founder Scoopy Trooples to find out if he thought the appeal would be successful.
Hi Scoopy. It’s been two days now since the bug was found, how has the incident affected you and your team?
It's been stressful, but thankfully we have had a lot of support from our community and people all over the industry. We are confident in our ability to get alETH solvent again, and we are extremely fortunate that no user lost funds in this incident. Going forward our team will exercise an even greater abundance of caution in all areas of our operation. We realize that protocols are lucky to get second chances, and almost never get third chances. Our team is committed to being better and learning from our mistakes so we never repeat them.
Alchemix had over $1b TVL at the time of the incident, that’s a lot of responsibility - can you give us some insight into how you felt when you were alerted to the issue?
Having such a high tvl comes with an incredible burden. When we first realized something was wrong, the first thing we did was to pause the contracts. Constant worry filled my mind and it felt like my blood was on fire as we researched in the war room to find the root cause. We found relief when we got to the answer and realized all funds were safe, but still knew we had a lot of work to make things right.
Alchemix made a public appeal for users to return the withdrawn funds - how successful has that been?
We have had many in the community say they will do it but we have not yet started the program. We will have a portal up on our app page in a few days where users can voluntarily return their free eth or alETH. We will see how far that gets us, and are weighing several options for how to cover whatever doesn't get returned. We'll be sure to include community feedback in whatever course of action we end up taking.
How many users took the opportunity to withdraw “free” ETH?
In the end, it will be anyone who borrowed alETH. The bug repaid all the debt, so even those who wish not to exploit this incident have no choice but to.
How will the missing $6.5m affect the future development of the protocol?
It all depends on how much our users give back. If we get > 25% of it, our treasury's non-ALCX holdings of approx $4m will be able to cover it. It will mean we will not be able to be as aggressive in hiring and marketing for some time, but we will recover since we have good cash flow. If we have a more tepid response to the voluntary returning program, then we will explore further measures to make it solvent. We have been offered help from many in the space, so we have some solid options.
Thanks Scoopy. Any final message for our readers?
We are conducting an internal review to ensure we can eliminate mistakes and errors. We thank the DeFi community for all the support and will move forward more battled-hardened and wiser.
It seems the Alchemix team are confident that they can take on this debt and continue to build.
The power of a loyal community can not be understated in DeFi, especially when a protocol requires some forgiveness. Despite this embarrassing incident, some users never lost faith in Alchemix, like this user who used the misappropriated funds to re-invest straight back into the protocol.
Will the rest of the community return the required 25%, or will the Alchemists have to create a different solution?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Jimbo's Protocol - REKT
Jimbo’s Protocol was hit with a flash loan attack in the early hours of Sunday, losing $7.5M. The team have sent the attacker an ultimatum. But for now, Jimbo is stuck in limbo.
Tornado Cash Governance - REKT
Cypherpunks strive to become ungovernable... but not like this. Tornado Cash's governance has been taken hostage via a trojan horse proposal. But now the hacker is proposing reversing the effects of their exploit. Hopefully this all turns out to be just a storm in a teacup.
Swaprum - REKT
Swaprum, an Arbitrum-based DEX, pulled the rug for $3M on Thursday. Certik, the project's auditor, has since updated Swaprum’s security score to “Exit Scam”. Too little, too late?