Alchemix patches ‘Reverse Rug’ exploit, address $6.5 million shortfall

It’s as miraculous as Aladdin taking off on a magic carpet: in a possible first, some of the users of a decentralized finance protocol were the ones to benefit today from an exploit, turning the concept of a ‘rugpull’ on its head. 

A colloquialism for when liquidity is drained from a project (often an unscrupulous founder or developer draining the funds themselves), depositors and DeFi users are most often the ones holding bad debt and/or worthless tokens — left to hope for compensation plans that can take months or even years to fully vest.

In an exploit today, however, the users are the ones who got to pull at the seams for a change.

This morning, Alchemix announced that the contracts for one of their synthetic assets, alETH, had experienced an “incident.”

There has been an incident with the Alchemix alETH contracts. Together with the fantastic team at @iearnfinance, we have identified the error and are both working on a post-mortem and a solution to the problem.Funds are safe.

— Alchemix (@AlchemixFi) June 16, 2021

In a incident report published later in the day, Alchemix developer “n4n0” said that “an issue with the deployment script of the alETH vault accidentally created additional vaults,” some of which the protocol used to incorrectly calculate outstanding debts, which in turn meant protocol funds were used to “pay off user debts.”

As a result, for a short window of time users were able to withdraw their ETH collateral with their alETH loans still outstanding — a rugpull by the community to the tune of $6.5 million.

Alchemix innovating again... this time with the reverse rugpull.. a 'rugput'Joking aside there was a little incident with the new alETH vault in which nobody lost any funds but some users actually gained@n4n084191635 with a great incident report herehttps://t.co/Vo3cWRnZPx pic.twitter.com/68G3y1s3x0

— ⟠ toast.eth (@intocryptoast) June 16, 2021

Per the incident report, the team paused the mint contract for alETH two and a half hours after the exploit was discovered. The report notes that no users lost funds as a result of the exploit, and that Yearn.Finance — whose yield vaults automatically repay Alchemix’s synthetic loans — suffered no loss as well. Additionally, a “conservative” initial debt ceiling prevented the protocol loss from being more extreme. 

The team, including incident report author n4n0 appear to be taking the loss in stride:

Damn this alETH incident is producing the dankest memes ngl. Credit to @alibyte pic.twitter.com/brk5gUfpST

— n4n0 (@n4n084191635) June 16, 2021

A trio of solutions is being deployed to cover the shortfall, including a temporary increase in protocol fees, a injection of ETH liquidity from Alchemix’s treasury, and a sale of DAI from the treasury for additional ETH. The team says they will be deploying an entirely new vault to address the flaws of the original. 

Further changes may be on the horizon for the alETH asset as well. Alchemix currently has a alETH/ETH pool live on Saddle, a VC-backed fork of Curve Finance, following Curve reportedly turning down creating a pool for the synthetic Ether. However, in the past 48 hours the Curve social media account has been making overtures in an effort to bring Alchemix’s latest synthetic asset back.

Alpha Homora loses $37 million following Iron Bank exploit   Feb. 13, 2021
Bunny and Qubit turns to DAO following $80 million bug exploit   Feb. 11, 2022
As Yearn.Finance’s yield vaults grow, ‘crop’ projects define boundaries   June 15, 2021
A million down, a billion to go: How does DeFi reach mass adoption?   Dec. 7, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi   June 7, 2022