Alkimiya SilicaPools uint128 Truncation Unsafe Downcasting
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Alkimiya, a protocol for trading on real blockchain and macroeconomic metrics, was recently targeted in a sophisticated exploit due to an unsafe type cast (from uint256 to uint128) in its SilicaPools contract. The attacker used a flash loan to exploit this truncation vulnerability, allowing them to mint and manipulate share records, ultimately redeeming more than their fair share of collateral. Although 1.14 WBTC (approx. $95.5K) was briefly compromised, a whitehat intervened to frontrun the malicious transaction, successfully recovering all funds. The Alkimiya team acted quickly to contain the issue, took affected systems offline, and is continuing its investigation into the attacker’s identity while reinforcing system security. No user funds were lost.[1][2][3][4][5][6][7][8][9]
About Alkimiya
Alkimiya is a market protocol designed to trade on fundamental blockchain and macroeconomic metrics, rather than speculation or hype. It offers users the ability to create strategies around real economic indicators like blockspace demand, on-chain revenue, stablecoin supply, and more. These metrics are public, verifiable, and aim to be predictive of broader market trends.
At the core of Alkimiya is Forecast, its flagship product that transforms raw data into live, tradable markets. Forecast differs from typical binary prediction markets by offering continuous payoffs (more accurate predictions earn more), bounded risk (with caps and floors on outcomes), and a data-driven approach focused on measurable trends rather than volatile narratives like meme coins.
Users can trade on metrics such as BTC transaction fees, Ethereum base revenue, and USDC supply velocity, each supported by dedicated strategy handbooks. Launched in August 2024 and backed by top investors like Coinbase Ventures and Dragonfly, Alkimiya empowers traders, builders, and funds with tools to anticipate market movements through real-world data insights.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
A sophisticated exploit in Alkimiya’s SilicaPools contract—caused by unsafe downcasting allowed the compromise of 1.14 WBTC.
| Date | Event | Description |
|---|---|---|
| March 28th, 2025 9:34:47 AM MDT | Attack Transaction Occurs | The attack transaction is accepted by the Ethereum blockchain. |
| March 30th, 2025 9:42:00 AM MDT | TenArmor Tweet Posted | TenArmor posts a tweet with an analysis of the incident. |
| March 31st, 2025 1:08:00 AM MDT | Leozayaat Tweet Posted | Leozayaat, the founder of the project, posts an update with the outcome of the funds being returend. |
Technical Details
The root cause of the exploit in the SilicaPools contract lies in the unsafe downcasting of the shares variable from uint256 to uint128 within the collateralizedMint function. The attacker exploited this truncation vulnerability by minting a massive number of shares—specifically, 2^128 + 1. While the full 256-bit value was accepted by the function, the internal logic only stored the lower 128 bits, effectively recording just 1 share instead of the full amount.
The attacker orchestrated the exploit using a flash loan of 10 WBTC, and then minted the large share amount by supplying around 1.7 WBTC as collateral. The system processed the full value of shares for minting, but due to the cast to uint128, only 1 share was officially recorded in the contract's state. After this, the attacker cleverly transferred most of the minted shares (2^128 - 1) away, leaving behind just 2 shares.
Later, the attacker called the redeemShort() function. This function checked the internal state, which believed only 1 share had been minted (due to the cast error), but saw that the attacker held 2 shares. Believing the attacker had over 100% of the supply, the contract allowed them to redeem the full value of the short position—about 3.4 WBTC, which was double the initial collateral.
Attacker address: 0xF6ffBa5cbF285824000daC0B9431032169672B6e
Attacker’s contract: 0x80bf7db69556d9521c03461978b8fc731dbbd4e4
Attack transaction: 0x9b9a6dd05526a8a4b40e5e1a74a25df6ecccae6ee7bf045911ad89a1dd3f0814
Vulnerable contract: 0xf3f84ce038442ae4c4dcb6a8ca8bacd7f28c9bde
Total Amount Lost
TenArmor has estimated the amount lost at $95.5k USD.
The total amount lost has been estimated at $100,000 USD.
Immediate Reactions
Upon detecting the exploit, the Alkimiya team acted swiftly by taking the affected systems offline, limiting the compromise to 1.14 WBTC. A known whitehat intervened to frontrun the malicious transaction, ensuring that all funds were ultimately recovered. The team expressed gratitude to @_SEAL_Org for their assistance, reaffirmed their commitment to decentralization and open-source development, and emphasized their determination to strengthen security while continuing to build an open financial system.
Ultimate Outcome
All compromised funds were recovered and no user funds were lost. Although 1.14 WBTC was initially compromised, a whitehat hacker successfully frontran the malicious transaction, returning the funds. The Alkimiya team contained the threat quickly, took affected systems offline, and reinforced their commitment to security and decentralization going forward.
"This weekend Alkimiya was attacked by as of yet unknown hacker. Don't worry, all funds are safe.
This was a sophisticated exploit which necessitated intimate knowledge of our stack. It is obvious that whoever is responsible spent considerable time studying our systems. We quickly took the relevant parts of the system offline, and only 1.14 WBTC was compromised before further damage. Fortunately, a known whitehat frontran the malicious transaction. We are glad to say all funds have been returned.
We also want to give our most sincere and heartfelt thanks to @_SEAL_Org for springing to our aid and all the info they have been able to provide.
We always knew there are risks to decentralization and open source development. We will not be abandoning our core principles. Instead, we will work hard to ensure our systems are secure, continue to work with others in the space to share ideas and best practices, and above all we will double down on building the new and open financial system.
There are a lot of bad actors in this space, but as a result of this experience we are even more convinced that there are more good ones than bad ones, and that together we win."
Total Amount Recovered
All compromised funds were recovered and no user funds were lost. Although 1.14 WBTC was initially compromised, a whitehat hacker successfully frontran the malicious transaction, returning the funds.
The total amount recovered has been estimated at $100,000 USD.
Ongoing Developments
There remains an investigation into the identity of the attacker. The hacker remains unknown, and it’s clear they had intimate knowledge of Alkimiya’s system, suggesting a deeper breach of understanding or possible insider knowledge.
Root cause analysis, attacker identification, and long-term security hardening are still in progress.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ TenArmor - "Yesterday's attack involving #Alkimiya @alkimiya_io on #ETH resulted in an approximate loss of $95.5K." - Twitter/X (Accessed Aug 13, 2025)
- ↑ Yoinked Attack Transaction - Etherscan (Accessed Aug 13, 2025)
- ↑ Rotciv - "Origin attacker TX(reverted)" - Twitter/X (Accessed Aug 13, 2025)
- ↑ Original Attack Transaction - Etherscan (Accessed Aug 13, 2025)
- ↑ Alkimiya Hack Analysis - VeriChains Blog (Accessed Aug 13, 2025)
- ↑ Leozayaat - "This weekend Alkimiya was attacked by as of yet unknown hacker. Don't worry, all funds are safe." - Twitter/X (Accessed Aug 13, 2025)
- ↑ Alkimiya Twitter/X Account (Accessed Aug 13, 2025)
- ↑ Alkimiya Homepage (Accessed Aug 13, 2025)
- ↑ Introduction to Alkimiya - Alkimiya Documentation (Accessed Aug 13, 2025)