Iron Bank vs Alpha Homora

Things move fast in DeFi.

New protocols spring up out of nowhere. Some on the back of genuine innovation, and others simply shilled into existence by CT’s ‘thought-leader’ VCs.

Projects can also find themselves undone from one block to the next.

But this story is a slow burner.

For Iron Bank and Alpha Homora, an early 2021 hack has been hanging over both projects for over two years.

And now, things have come to a head.

$30M of bad debt hasn’t been paid back (thanks to a naively optimistic repayment plan) and, now, Alpha Homora’s users’ funds are being held hostage by the Iron Bank.

While many will have forgotten the original incident, rekt remembers.

How did we get here?

The Iron Bank was set up in January 2021, as a spin-off from twice-rekt CREAM Finance. The protocol-to-protocol lending platform got merged into what at the time began to look increasingly like a decentralised monopoly of interconnected projects, spearheaded by Andre Cronje.

On February 13th 2021, Alpha Finance (which later rebranded to Alpha Ventures DAO) was exploited via a new pool contract that was neither publicly announced, nor accessible via the UI.

While it was Alpha’s code that was hacked, the attack caused losses on Iron Bank of $32.4M, and a repayment agreement was brokered to cover the bad debt.

20% of Alpha’s protocol fees would be paid to the Iron Bank, with the deal collateralised by 50M ALPHA tokens, worth almost $90M directly following the hack.

Unsurprisingly, given recent market trends, the payments have not made much of a dent.

According to the Iron Bank’s statement, Alpha have paid back just 1.5% of the debt, $500k net, and still owe $31.9M.

With the benefit of hindsight, the agreement reads as the kind of contract drawn up during the peak of short-term, up-only degen hysteria. The Iron Bank must have accepted the terms either out of blind faith in the bull market, or perhaps desperation after such a loss.

Since then, the value of the original ALPHA collateral tanked with rest of the market, over 90%, leaving the debt undercollateralised. As the price fell, the ALPHA was never liquidated, with the parties instead agreeing to topping up collateral and rebalancing the debt.

But facing a deep DeFi winter, and with the repayment plan seemingly stretching into the far future, the Iron Bank has resorted to drastic measures.

Last week, the Iron Bank gave an ultimatum of three days to come up with the funds…

…while freezing Alpha Homora users’ funds in their contracts.

Impatience on an everlasting debt, or reneging on a deal made in good faith?

Unable to dump the Alpha collateral due to the terms of the escrow contract, the Iron Bank warned it “reserve[s] the right to offset the exploit debt from Alpha Homora’s account”, essentially threatening to rug Alpha users’ funds.

In Alpha’s most recent response, they have proposed that Iron Bank return ~$11M of users’ funds, holding onto the remaining ~$30M while they discuss how to deal with the debt going forward.

A few hours before the deadline, Alpha Homora published an ‘update’ stating they are discussing a solution.

But now the deadline has passed, and no news from neither Alpha nor Iron Bank.

Will the Iron Bank go through with its threat to rug Alpha users’ funds?

However this story ends, it is not a good look for DeFi.

Looking back, it’s no surprise that a repayment plan drawn up during the promising days of Spring 2021 is falling short under current conditions.

But signing up for a bad deal two years ago doesn’t justify holding user funds hostage.

Rugging users via protocol upgrades should never be considered, even more so when the users are from another project altogether. The Iron Bank took the decision to freeze Alpha’s accounts simply using the multisig without DAO approval.

This industry is built around trustlessness.

Overall, this is a messy reminder that permissioned finance and trusted relationships is not what DeFi is designed for.

The actions of Iron Bank contains echoes of (or maybe was inspired by) the worrying reverse ‘hack’ in which the Oasis multisig upgraded contracts to rug the Wormhole exploiter.

Precedents are currently being set for conflict resolution in DeFi.

Instead of using admin powers to ‘do the right thing’ (according to whoever holds the keys), DeFi protocols must be built as autonomous and antifragile, avoiding these types of situations entirely.

Good faith may seem acceptable in a bull market, but the bear brings out the worst in us all.

In less than two weeks we have seen a court-ordered rug of user funds, and now more user funds are being held hostage to cover a deal gone sour…

What next?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.