$167 000 USD





"Alpha Finance Lab is a DeFi Lab, and on a mission to build Alpha Universe. Alpha Universe includes the Alpha ecosystem, which consists of Alpha products that interoperate to maximize returns while minimizing risks for users, and other ecosystems incubated through the Alpha Launchpad incubator program."


"A sandwich attack is happening with DeFi protocols and platforms, and are a way of market manipulation. Easily said: The attacker will try to sandwich someones transaction with two of his own transactions, before and after, and therefore making a small loss to the user."


"Let's make an example: A man named Mark wants to buy Bitcoins. He creates a buy order on a decentralised exchange. Let's say he wants to buy 0.1 BTC for $62'000. There is a slippage factor of 0.1% included. During the time where the transaction needs to get confirmed (usually only a few seconds) an attacker sees Marks transaction and recognises whether the price of the currency will go up or down. Now they add their own order and buy right before Marks transaction is confirmed and right after they sell their shares again. So with the slippage factor Marks transaction will get confirmed at a BTC prize of $62’062 due to the attackers pushing the price up."


"These implicit assumptions on Uniswap V2 resulted in 20 addresses on Alpha Homora V2 being impacted and lost a total of 40.93 ETH to miners who extracted this value." "In this case, the implicit assumptions not stated on the Uniswap V2 Router contract resulted in miners successfully extracting values from 20 addresses even though Alpha Homora V2 were audited three times by OpenZeppelin, Quantstamp, and PeckShield."


"We recently received a user report regarding abnormal position value loss in Alpha Homora V2 on Ethereum after the position was opened. Looking at the transaction details, the slippage control values correctly reflected the 1% tolerance, but the LP value still did not conform."


"In short, a Miner Extractable Value (MEV) bot inspected the transaction, bundled the transactions such that the bot could make financial profits, and sent these transactions privately to a particular group of miners who then mined these transactions."


"[T]he Uniswap V2 Router contract has implicit assumptions that are not clearly stated on the contract level. Hence, without stating these assumptions, slippage control for some trades on Uniswap V2 may not be checked and may not be taken into account at all in certain scenarios."


"The issue revolves around the Uniswap V2 Router’s addLiquidity function, which internally calls _addLiquidity." "The function takes 2 amounts: amountXDesired and amountXMin amountXDesired determines the desired amount for adding liquidity to the pool. amountXMin determines the minimum amount of assets used."


"From our investigation, the MEV bots are generalized sandwich attack bots, which are not specific to Alpha Homora V2."


"The fix has been patched." "After we have confirmed and tested the fix, our team proceeded quickly to patch the issue. Extra checks were performed to ensure the pre-conditions are satisfied and such scenarios can no longer happen. The fix has also been confirmed by OpenZeppelin and Peckshield." "The vulnerability was present since the original version of Alpha Homora V2, which has undergone 3 different audits from OpenZeppelin, Peckshield, and Quantstamp. The issue has remained unnoticed until recently, which we had already fixed."


"We have plans to compensate these 20 addresses. However, what’s more important is to share this with our community, especially other builders in the space to be aware of these implicit assumptions that are not stated, how you can detect this as a builder, and how to prevent/mitigate this."


"To uphold the function of Alpha Tokenomics, which serves as an insurance for Alpha products, and the collective moral value we share in our community, 154,671 ALPHA (0.064% of total ALPHA staked) will be extracted from Alpha Tokenomics and be distributed to the relevant users."

The Alpha Finance platform enabled users to be "sandwich attacked", where their orders (public on the blockchain) were taken and packaged within other transactions to create profit for the attacker. This was highly lucrative, creating a net profit of over 40 Ethereum for the attacker. The Alpha Finance platform has agreed to compensate those affected users with some Alpha tokens.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.