Audit log

Every state-changing event for Alchemix V2: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-28 17:55:22Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,769,758

   sig

   2r41dk1Gq6DW…VxzVYHpncopyexplorer ↗

   hash

   22yZZzVqVAmB…A1qi9iN3copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (11086 B) ▸

   {"actor":"system:backfill","investigation_id":"4f3f70f6-b41e-45f9-8f4d-47cf87405f2c","kind":"publish","page_slug":"alchemix-v2","published_at":"2026-05-28T17:55:22.519Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Alchemix V2","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://alchemix.fi/","type":"other","url":""},{"credibility":3,"name":"https://beincrypto.com/learn/alchemix/","type":"other","url":""},{"credibility":3,"name":"https://docs.alchemix.fi/alchemix-dao/alcx-token","type":"other","url":""},{"credibility":3,"name":"https://iq.wiki/wiki/scoopy-trooples","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/alchemix-patches-reverse-rug-exploit-address-6-5-million-shortfall","type":"other","url":""},{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-alchemix-reverse-rug-pull-june-2021","type":"other","url":""},{"credibility":3,"name":"https://slowmist.medium.com/slowmist-alchemix-hack-analysis-e8c9ec6c2ee3","type":"other","url":""},{"credibility":3,"name":"https://thedefiant.io/alchemix-asks-users-to-return-funds-after-its-mistake/","type":"other","url":""},{"credibility":3,"name":"https://finance.yahoo.com/news/alchemix-defi-protocol-fixes-reverse-054243156.html","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339","type":"other","url":""},{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023","type":"other","url":""},{"credibility":3,"name":"https://finance.yahoo.com/news/defi-lender-alchemix-says-vyper-133516915.html","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/curve-vyper-exploit-whole-story-so-far","type":"other","url":""},{"credibility":3,"name":"https://hacken.io/discover/curve-finance-liquidity-pools-hack-explained/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://runtimeverification.com/blog/alchemix-v2-audit-and-reviewed-code-fixes","type":"other","url":""},{"credibility":3,"name":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387","type":"other","url":""},{"credibility":3,"name":"https://docs.alchemix.fi/resources/audits-and-reports","type":"other","url":""},{"credibility":3,"name":"https://skynet.certik.com/projects/alchemix","type":"other","url":""},{"credibility":3,"name":"https://immunefi.com/audit-competition/alchemix-boost/information/","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2022-05-alchemix","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://iq.wiki/wiki/scoopy-trooples","type":"other","url":""},{"credibility":3,"name":"https://indexcoop.substack.com/p/conversations-with-the-coop-scoopy","type":"other","url":""},{"credibility":3,"name":"https://docs.alchemix.fi/alchemix-dao/alcx-token","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://defillama.com/protocol/alchemix","type":"other","url":""},{"credibility":3,"name":"https://coinmarketcap.com/currencies/alchemix/","type":"other","url":""},{"credibility":3,"name":"https://beincrypto.com/learn/alchemix/","type":"other","url":""}]}],"sources_used":[{"credibility":1,"name":"CoinDesk: 'Free Money' Bug Hits DeFi Platform Alchemix","type":"news_article","url":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix"},{"credibility":2,"name":"CoinTelegraph: Alchemix patches 'Reverse Rug' exploit","type":"news_article","url":"https://cointelegraph.com/news/alchemix-patches-reverse-rug-exploit-address-6-5-million-shortfall"},{"credibility":2,"name":"Halborn: Explained — The Alchemix Reverse Rug Pull (June 2021)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-alchemix-reverse-rug-pull-june-2021"},{"credibility":2,"name":"SlowMist: Alchemix Hack Analysis","type":"research","url":"https://slowmist.medium.com/slowmist-alchemix-hack-analysis-e8c9ec6c2ee3"},{"credibility":2,"name":"The Defiant: Alchemix Asks Users to Return Funds After alETH Bug","type":"news_article","url":"https://thedefiant.io/alchemix-asks-users-to-return-funds-after-its-mistake/"},{"credibility":2,"name":"Yahoo Finance: Alchemix DeFi Protocol Fixes Reverse Rug Pull Vulnerability","type":"news_article","url":"https://finance.yahoo.com/news/alchemix-defi-protocol-fixes-reverse-054243156.html"},{"credibility":2,"name":"Alchemix Medium: Curve Exploit Post-Mortem","type":"official","url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"credibility":2,"name":"Halborn: Explained — The Vyper Bug Hack (July 2023)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023"},{"credibility":1,"name":"Yahoo Finance / Bloomberg: DeFi Lender Alchemix Says Vyper Hacker Returned Stolen Crypto","type":"news_article","url":"https://finance.yahoo.com/news/defi-lender-alchemix-says-vyper-133516915.html"},{"credibility":2,"name":"CoinTelegraph: Curve-Vyper exploit — the whole story so far","type":"news_article","url":"https://cointelegraph.com/news/curve-vyper-exploit-whole-story-so-far"},{"credibility":2,"name":"Alchemix Medium: V2 Audit with Runtime Verification","type":"official","url":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387"},{"credibility":2,"name":"Runtime Verification: Alchemix V2 Audit and Reviewed Code Fixes","type":"research","url":"https://runtimeverification.com/blog/alchemix-v2-audit-and-reviewed-code-fixes"},{"credibility":2,"name":"Alchemix User Docs: Audits and Reports","type":"official","url":"https://docs.alchemix.fi/resources/audits-and-reports"},{"credibility":2,"name":"Immunefi: Alchemix Bug Bounty Program","type":"official","url":"https://immunefi.com/audit-competition/alchemix-boost/information/"},{"credibility":2,"name":"CertiK Skynet: Alchemix Project Insight","type":"research","url":"https://skynet.certik.com/projects/alchemix"},{"credibility":2,"name":"DefiLlama: Alchemix TVL","type":"on_chain","url":"https://defillama.com/protocol/alchemix"},{"credibility":3,"name":"IQ.wiki: Scoopy Trooples","type":"other","url":"https://iq.wiki/wiki/scoopy-trooples"},{"credibility":1,"name":"Fortune: Benevolent hacker pulls back $5.4 million targeted in Curve Finance hack","type":"news_article","url":"https://fortune.com/crypto/2023/07/31/curve-finance-52-million-hack-hacker-helps-return-funds/"},{"credibility":2,"name":"Code4rena: 2022-05-alchemix audit repository","type":"research","url":"https://github.com/code-423n4/2022-05-alchemix"},{"credibility":2,"name":"Hacken: Curve Finance Liquidity Pools Hack Explained","type":"research","url":"https://hacken.io/discover/curve-finance-liquidity-pools-hack-explained/"}],"summary":"Alchemix V2 is a DeFi self-repaying loan protocol on Ethereum that allows users to borrow synthetic assets (alUSD, alETH) against yield-bearing collateral, with loans auto-repaid by yield generated from underlying deposits. The protocol experienced two notable security incidents: a June 2021 smart contract bug in the alETH vault that allowed users to withdraw collateral without repaying loans (the 'reverse rug pull,' ~$6.5M shortfall), and an indirect July 2023 exploit via a Vyper compiler vulnerability in a Curve liquidity pool (~$13.6M drained, later fully returned). In both cases, the Alchemix team responded promptly and took active steps to restore protocol solvency, distinguishing it from many exploited DeFi protocols.","timeline":[{"date":"2021-02-01","event":"Alchemix V1 protocol launches on Ethereum mainnet with alUSD synthetic stablecoin and Yearn vault integrations.","source":""},{"date":"2021-06-13","event":"Alchemix launches the alETH vault, introducing ETH as collateral for synthetic loans.","source":""},{"date":"2021-06-16","event":"A deployment bug in the alETH vault is discovered: incorrect vault array indexing causes borrower debts to be incorrectly forgiven. Users begin withdrawing collateral without repaying loans. Approximately $6.5 million (2,688 ETH) shortfall results. ALCX falls ~21.5%. The team pauses alETH minting within ~15 minutes of beginning investigation.","source":"CoinDesk / CoinTelegraph","source_url":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix"},{"date":"2021-06-17","event":"Alchemix publishes post-mortem, publicly asks users to voluntarily return excess ETH/alETH, offering 1 ALCX per 1 ETH returned and a special NFT for full repayment. Team increases protocol fees and sells DAI from treasury to restore collateralization.","source":"The Defiant / CoinTelegraph","source_url":"https://cointelegraph.com/news/alchemix-patches-reverse-rug-exploit-address-6-5-million-shortfall"},{"date":"2021-06-30","event":"More than half of the $6.5M shortfall reportedly recovered through voluntary user returns.","source":""},{"date":"2021-11-01","event":"Runtime Verification begins formal seven-week audit of Alchemix V2 core smart contracts.","source":""},{"date":"2022-01-13","event":"Runtime Verification delivers Alchemix V2 audit report. 3 High, 11 Medium, 14 Low issues identified; all High and Low and 9 of 11 Medium issues resolved.","source":"Runtime Verification / Alchemix Medium","source_url":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387"},{"date":"2022-05-01","event":"Alchemix V2 launches with expanded yield strategies (Vesper, AAVE vaults) and user-selectable collateral types. Code4rena audit competition also conducted.","source":""},{"date":"2023-07-30","event":"Vyper compiler vulnerability exploited across multiple Curve Finance pools. Alchemix alETH-ETH pool drained of 4,821 alETH and 7,258 ETH (~$13.6M). Alchemix team immediately begins emergency liquidity removal.","source":"Alchemix Medium Post-Mortem","source_url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"date":"2023-08-03","event":"Alchemix, Curve, and Metronome publicly offer exploiter 10% bounty in exchange for returning 90% of funds by August 6, pledging no legal action.","source":"Fortune / CoinTelegraph","source_url":"https://fortune.com/crypto/2023/07/31/curve-finance-52-million-hack-hacker-helps-return-funds/"},{"date":"2023-08-05","event":"Exploiter returns all stolen alETH and ETH to Alchemix over multiple transactions. Full fund recovery confirmed.","source":"CoinTelegraph / Yahoo Finance","source_url":"https://finance.yahoo.com/news/defi-lender-alchemix-says-vyper-133516915.html"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 7f275d90-1af4-4f34-a464-16fa06413e7fcopy