Audit log

Every state-changing event for Alchemix Finance: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-31 06:58:41Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,324,420

   sig

   5AKNgLn5WkJV…Q8s1V7ZAcopyexplorer ↗

   hash

   B6pEWp7iwix5…NPtiReU2copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (22296 B) ▸

   {"actor":"system:backfill","investigation_id":"cfd31471-ca4a-4786-9da5-85fc3252485b","kind":"publish","page_slug":"alchemix","published_at":"2026-05-31T06:58:41.481Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Alchemix Finance","sections":[{"content":"Alchemix Finance launched in February 2021 as a self-repaying loan protocol on Ethereum. Users deposit yield-bearing collateral — originally Yearn Finance yDAI vaults, later expanded to include ETH-based strategies — and may borrow synthetic assets (alUSD, alETH) at up to 50% of their deposited value, with no interest charged and no liquidation risk. The yield generated by the underlying collateral is automatically applied to pay down the borrower's debt over time, making the loan effectively self-repaying. The protocol is governed by the ALCX token, an ERC-20 governance and incentive token that launched without a presale or external fundraising. Alchemix expanded collateral types and yield strategies in subsequent versions, with V2 introducing modular yield adapters and V3 raising the loan-to-value ceiling to 90% for select strategies.","heading":"Protocol Overview and Mechanism","severity":"low","sources":[{"credibility":1,"name":"Alchemix Official Site","type":"official","url":"https://alchemix.fi/"},{"credibility":1,"name":"CoinDesk: Self-Repaying Loan Platform Alchemix to Expand Collateral Types","type":"news_article","url":"https://www.coindesk.com/tech/2021/10/08/self-repaying-loan-platform-alchemix-to-expand-collateral-types-strategies"},{"credibility":1,"name":"Alchemix V3 Docs — Introduction","type":"official","url":"https://alchemix-v3-docs.vercel.app/user/"}]},{"content":"On approximately June 16–18, 2021, a critical bug was discovered in Alchemix's newly deployed alETH vault. A misconfiguration in the deployment script caused the vault to create additional vaults unintentionally; the resulting error in debt tracking meant the system treated all outstanding alETH debt as repaid, allowing borrowers to withdraw their ETH collateral without actually repaying their loans. The protocol was left undercollateralized by approximately 2,262–2,700 ETH (estimated at $5.3M–$6.5M at the time). Alchemix paused the alETH contract within approximately 15 minutes of identifying the issue. Because no user depositors lost funds — only the protocol's own solvency was impacted — the team publicly asked users who had withdrawn excess ETH to voluntarily return it through a dedicated portal, offering 1 ALCX token per ETH or alETH returned, plus a special NFT for users who returned 100% of their excess. Co-founder Scoopy Trooples noted that recovering at least 25% was necessary to cover losses using existing treasury holdings. Within three days, more than 50% of the shortfall had been returned; the team deployed three additional recovery measures: a temporary increase in protocol fees, an ETH liquidity injection from the treasury, and a sale of DAI from the treasury for additional ETH. The incident attracted media attention as a notable example of community-driven voluntary restitution in DeFi.","heading":"June 2021 alETH Transmuter Bug ('Reverse Rug')","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: 'Free Money' Bug Hits DeFi Platform Alchemix","type":"news_article","url":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix"},{"credibility":2,"name":"The Defiant: Alchemix Asks Users to Return Funds After alETH Bug","type":"news_article","url":"https://thedefiant.io/alchemix-asks-users-to-return-funds-after-its-mistake"},{"credibility":2,"name":"REKT News: Alchemix REKT","type":"news_article","url":"https://rekt.news/alchemix-rekt"},{"credibility":1,"name":"Alchemix Governance Forum: alETH Return Program","type":"official","url":"https://forum.alchemix.fi/public/d/150-aleth-return-program"},{"credibility":2,"name":"CryptoNews: Alchemix patches 'Reverse Rug' exploit, addresses $6.5 million shortfall","type":"news_article","url":"https://cryptonews.net/news/defi/818795/"}]},{"content":"On July 30, 2023, a latent vulnerability in Vyper compiler versions 0.2.15, 0.2.16, and 0.3.0 was exploited across multiple Curve Finance liquidity pools. Alchemix's alETH–ETH pool was among those targeted; the attacker drained 4,821 alETH and 7,258 ETH from the pool, an amount later estimated at approximately $20 million. The Alchemix team was able to pre-emptively remove 8,027 alETH before the pool was fully drained. MEV bots and white-hat security contributors front-ran portions of the attacker's transactions and recovered a subset of funds. On August 3, 2023, Alchemix, Curve, and Metronome jointly announced a 10% recovery bounty offer to the exploiter. Within 24 hours of the offer, the original attacker began returning funds; by August 5, 2023, all funds stolen from the Alchemix alETH–ETH pool had been returned. The incident was not attributable to Alchemix's own smart contract code but to a shared infrastructure dependency on an older Vyper compiler version used by Curve. Alchemix subsequently committed to using patched Vyper compiler versions in future deployments and worked with Curve on a compensation plan for affected liquidity providers involving recovered funds and vested CRV tokens.","heading":"July 2023 Curve Finance Vyper Exploit","severity":"high","sources":[{"credibility":1,"name":"Alchemix Finance Medium: Curve Exploit Post Mortem","type":"official","url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"credibility":1,"name":"CoinDesk: Looter Behind $61M Curve Hack Starts Returning Assets","type":"news_article","url":"https://www.coindesk.com/markets/2023/08/04/looter-behind-61m-curve-hack-starts-returning-assets-raising-hope-for-recovery"},{"credibility":2,"name":"Chainalysis: Curve Finance Liquidity Pool Hack","type":"research","url":"https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/"},{"credibility":2,"name":"Hacken: Curve Finance Liquidity Pools Hack Explained","type":"research","url":"https://hacken.io/discover/curve-finance-liquidity-pools-hack-explained/"}]},{"content":"On March 13, 2023, Euler Finance suffered a flash loan attack resulting in approximately $197 million in losses. Alchemix publicly reported that it had no direct exposure to the Euler Finance exploit. The protocol did hold indirect exposure through yvUSDC and yvUSDT Yearn vaults, which in turn had limited exposure to Euler via Idle and Angle protocols; this indirect exposure was reportedly limited to approximately $1.38 million through Yearn's broader ecosystem. Euler's exploiter subsequently returned all recoverable funds by early April 2023, mitigating downstream exposure for affected protocols. Alchemix's Q1 2023 report did not identify the Euler incident as a material loss event for the protocol.","heading":"Euler Finance Hack — Indirect Exposure (March 2023)","severity":"medium","sources":[{"credibility":2,"name":"CryptoNewsZ: Protocols Report Exposure to the $197M Euler Finance Hack","type":"news_article","url":"https://www.cryptonewsz.com/protocols-report-exposure-to-the-197m-usd-euler-finance-hack/"},{"credibility":1,"name":"CoinDesk: Euler Says All 'Recoverable Funds' Stolen in $200M Hack Have Been Returned","type":"news_article","url":"https://www.coindesk.com/business/2023/04/03/euler-says-all-recoverable-funds-stolen-in-200m-hack-have-been-returned"},{"credibility":1,"name":"Bloomberg: DeFi Lender Euler Finance Hit By $197 Million Hack","type":"news_article","url":"https://www.bloomberg.com/news/articles/2023-03-13/defi-s-euler-finance-hit-by-197-million-hack-experts-say"},{"credibility":1,"name":"Alchemix Q1 2023 Report Summary","type":"official","url":"https://alchemixfi.medium.com/alchemix-q1-2023-report-summary-ee9ab2fabe31"}]},{"content":"Alchemix has engaged multiple security firms across its protocol versions. The V2 codebase was audited by Runtime Verification over seven weeks from November to December 2021, with the final report delivered on January 13, 2022; the audit covered core contracts including AlchemistV2, AlchemicToken, TransmuterV2, and TransmuterBuffer, and identified issues spanning low, medium, and high severity, several of which prompted major code changes. Alchemix subsequently placed its contracts under continuous audit with Runtime Verification. Additional V2 audits were conducted through Code4rena competitive audit contests. In June 2021, iosiro researcher Ashiq Amien disclosed a high-risk access control vulnerability in the AlchemistEth contract via Immunefi; the setWhitelist() function lacked access control, theoretically enabling denial-of-service against yield harvesting. The bug was patched before exploitation and a $7,500 bounty was awarded. In September 2023, a separate access control vulnerability was disclosed through Immunefi, in which the AlchemixHarvester contract's harvest function was callable by arbitrary Gelato task creators, enabling sandwich attacks on yield harvesting swaps; this was patched without user fund impact and a 1,000 ALCX (~$28,730) bounty was paid. An additional missing solvency check vulnerability was disclosed and patched via Immunefi. For V3, Alchemix ran a $50,000 USDC crowdsourced audit competition via Cantina and relaunched its Immunefi bug bounty program with rewards up to $300,000. The protocol has also adopted the SEAL (Security Alliance) Whitehat Safe Harbor Agreement and enrolled in Immunefi Magnus automated threat monitoring.","heading":"Audit History and Security Posture","severity":"medium","sources":[{"credibility":1,"name":"Alchemix Finance Medium: V2 Audit Completed with Runtime Verification","type":"official","url":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387"},{"credibility":2,"name":"Runtime Verification: Alchemix V2 Audit and Reviewed Code Fixes","type":"research","url":"https://runtimeverification.com/blog/alchemix-v2-audit-and-reviewed-code-fixes"},{"credibility":2,"name":"Immunefi: Alchemix Access Control Issue Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/alchemix-access-control-issue-bugfix-review/"},{"credibility":2,"name":"iosiro: High Risk Vulnerability Disclosed to Alchemix","type":"research","url":"https://www.iosiro.com/blog/high-risk-vulnerability-disclosed-to-alchemix"},{"credibility":2,"name":"Immunefi: Alchemix Missing Solvency Check Bugfix Review","type":"research","url":"https://medium.com/immunefi/alchemix-missing-solvency-check-bugfix-review-bcbc13289a12"},{"credibility":1,"name":"Immunefi: Alchemix V3 Bug Bounty Program","type":"official","url":"https://immunefi.com/audit-competition/alchemix-v3-audit-competition/information/"}]},{"content":"Alchemix was founded in February 2021 by a pseudonymous team led by a developer known publicly as Scoopy Trooples, who is also associated with the eGirl Capital DeFi venture collective. The broader development team has operated pseudonymously, with real-world identities not publicly disclosed. The ALCX token serves as the governance mechanism, giving holders voting rights over protocol parameters, treasury management, and product decisions. The token launched without a presale or external venture capital funding, and does not have a hard cap but follows a defined emissions schedule. The pseudonymous nature of the core team is a standard risk consideration for DeFi protocols, as it limits accountability pathways in the event of disputes or misconduct.","heading":"Team and Governance","severity":"medium","sources":[{"credibility":3,"name":"IQ.wiki: Scoopy Trooples","type":"other","url":"https://iq.wiki/wiki/scoopy-trooples"},{"credibility":3,"name":"IQ.wiki: Alchemix","type":"other","url":"https://iq.wiki/wiki/alchemix"},{"credibility":2,"name":"Messari: Alchemix Profile","type":"research","url":"https://messari.io/project/alchemix/profile"}]},{"content":"As of Q2 2025, Alchemix reported global deposits of approximately $45.35 million in total value locked, representing a 12.9% increase from Q1 2025. The protocol remained fully operational. The treasury held $12.41 million in assets excluding governance tokens. Protocol revenue for Q2 2025 was approximately $780,000, a 17.9% decline from the prior quarter amid broader market conditions. The alETH synthetic asset traded at approximately 0.9589 ETH and alUSD at approximately 0.9955 USD at quarter-end. Recent integrations include an Optimism deployment with a 100,000 OP grant for yield incentives, integration with HAI stablecoin borrowing, and the Holyheld beta debit card on Optimism. Alchemix V3 was in active development and audit competition during this period, with V3 contracts undergoing a Cantina crowdsourced audit and a relaunched Immunefi bug bounty program with up to $300,000 in rewards. Binance removed ALCX from its VIP Loan service in March 2026, noted in contemporaneous reporting as a general risk review of volatile DeFi assets rather than a protocol-specific concern.","heading":"Current Operational Status","severity":"low","sources":[{"credibility":1,"name":"Alchemix Finance Medium: Q2 2025 Report Summary","type":"official","url":"https://alchemixfi.medium.com/alchemix-q2-2025-report-summary-d31ec98cc4a9"},{"credibility":2,"name":"DeFi Llama: Alchemix TVL","type":"on_chain","url":"https://defillama.com/protocol/alchemix"},{"credibility":2,"name":"Alchemix on X: Q4 2024 Financial Report","type":"official","url":"https://x.com/AlchemixFi/status/1905288740039487518"}]}],"sources_used":[{"name":"Alchemix Official Site","type":"official","url":"https://alchemix.fi/"},{"name":"CoinDesk: 'Free Money' Bug Hits DeFi Platform Alchemix","type":"news_article","url":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix"},{"name":"CoinDesk: Self-Repaying Loan Platform Alchemix to Expand Collateral Types","type":"news_article","url":"https://www.coindesk.com/tech/2021/10/08/self-repaying-loan-platform-alchemix-to-expand-collateral-types-strategies"},{"name":"CoinDesk: Euler Says All Recoverable Funds Have Been Returned","type":"news_article","url":"https://www.coindesk.com/business/2023/04/03/euler-says-all-recoverable-funds-stolen-in-200m-hack-have-been-returned"},{"name":"CoinDesk: Looter Behind $61M Curve Hack Starts Returning Assets","type":"news_article","url":"https://www.coindesk.com/markets/2023/08/04/looter-behind-61m-curve-hack-starts-returning-assets-raising-hope-for-recovery"},{"name":"The Defiant: Alchemix Asks Users to Return Funds After alETH Bug","type":"news_article","url":"https://thedefiant.io/alchemix-asks-users-to-return-funds-after-its-mistake"},{"name":"REKT News: Alchemix REKT","type":"news_article","url":"https://rekt.news/alchemix-rekt"},{"name":"Bloomberg: DeFi Lender Euler Finance Hit By $197 Million Hack","type":"news_article","url":"https://www.bloomberg.com/news/articles/2023-03-13/defi-s-euler-finance-hit-by-197-million-hack-experts-say"},{"name":"Chainalysis: Euler Finance Flash Loan Attack Explained","type":"research","url":"https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/"},{"name":"Chainalysis: Curve Finance Liquidity Pool Hack","type":"research","url":"https://www.chainalysis.com/blog/curve-finance-liquidity-pool-hack/"},{"name":"Alchemix Finance Medium: Curve Exploit Post Mortem","type":"official","url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"name":"Alchemix Finance Medium: V2 Audit with Runtime Verification","type":"official","url":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387"},{"name":"Runtime Verification: Alchemix V2 Audit and Reviewed Code Fixes","type":"research","url":"https://runtimeverification.com/blog/alchemix-v2-audit-and-reviewed-code-fixes"},{"name":"Immunefi: Alchemix Access Control Issue Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/alchemix-access-control-issue-bugfix-review/"},{"name":"iosiro: High Risk Vulnerability Disclosed to Alchemix","type":"research","url":"https://www.iosiro.com/blog/high-risk-vulnerability-disclosed-to-alchemix"},{"name":"Immunefi: Alchemix Missing Solvency Check Bugfix Review","type":"research","url":"https://medium.com/immunefi/alchemix-missing-solvency-check-bugfix-review-bcbc13289a12"},{"name":"Immunefi: Alchemix V3 Audit Competition","type":"official","url":"https://immunefi.com/audit-competition/alchemix-v3-audit-competition/information/"},{"name":"Alchemix Governance Forum: alETH Return Program","type":"official","url":"https://forum.alchemix.fi/public/d/150-aleth-return-program"},{"name":"Alchemix Q1 2023 Report Summary","type":"official","url":"https://alchemixfi.medium.com/alchemix-q1-2023-report-summary-ee9ab2fabe31"},{"name":"Alchemix Q2 2025 Report Summary","type":"official","url":"https://alchemixfi.medium.com/alchemix-q2-2025-report-summary-d31ec98cc4a9"},{"name":"DeFi Llama: Alchemix TVL","type":"on_chain","url":"https://defillama.com/protocol/alchemix"},{"name":"CryptoNewsZ: Protocols Report Exposure to the $197M Euler Finance Hack","type":"news_article","url":"https://www.cryptonewsz.com/protocols-report-exposure-to-the-197m-usd-euler-finance-hack/"},{"name":"IQ.wiki: Alchemix","type":"other","url":"https://iq.wiki/wiki/alchemix"},{"name":"Messari: Alchemix Profile","type":"research","url":"https://messari.io/project/alchemix/profile"},{"name":"Alchemix GitHub Organization","type":"official","url":"https://github.com/alchemix-finance"}],"summary":"Alchemix Finance is an Ethereum-based DeFi protocol that offers self-repaying loans, allowing users to deposit yield-bearing collateral and borrow synthetic assets whose debt is automatically paid down by the underlying yield. The protocol has experienced several notable security incidents since its February 2021 launch, including a June 2021 alETH transmuter bug (~2,700 ETH overclaimed), and a July 2023 Curve pool exploit (~$20M stolen and subsequently fully returned). Alchemix has maintained operational continuity through each incident and continues to develop a V3 upgrade with an active Immunefi bug bounty program.","timeline":[{"date":"2021-02-01","event":"Alchemix Finance launches on Ethereum mainnet, introducing self-repaying alUSD loans backed by Yearn yDAI vaults.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2021/10/08/self-repaying-loan-platform-alchemix-to-expand-collateral-types-strategies"},{"date":"2021-06-14","event":"iosiro researcher Ashiq Amien discloses a high-risk access control vulnerability in the AlchemistEth contract via Immunefi; bug is patched before exploitation, $7,500 bounty awarded.","source":"iosiro","source_url":"https://www.iosiro.com/blog/high-risk-vulnerability-disclosed-to-alchemix"},{"date":"2021-06-16","event":"alETH transmuter bug discovered: misconfigured vault deployment causes ~2,262–2,700 ETH (~$5.3M–$6.5M) overclaimed by borrowers who could withdraw collateral without repaying loans. alETH contract paused within ~15 minutes.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2021/06/16/free-money-bug-hits-defi-platform-alchemix"},{"date":"2021-06-21","event":"Alchemix launches voluntary alETH return portal, offering 1 ALCX per ETH/alETH returned plus an NFT for full returns. Over 50% of shortfall recovered within three days.","source":"Alchemix Governance Forum","source_url":"https://forum.alchemix.fi/public/d/150-aleth-return-program"},{"date":"2022-01-13","event":"Runtime Verification delivers final V2 audit report following a seven-week engagement covering core AlchemistV2, TransmuterV2, and related contracts.","source":"Alchemix Finance Medium","source_url":"https://alchemixfi.medium.com/alchemix-v2-audit-completed-in-partnership-with-runtime-verification-ef3b4ab9b387"},{"date":"2023-03-13","event":"Euler Finance suffers a ~$197M flash loan hack. Alchemix reports no direct exposure; indirect exposure via yvUSDC/yvUSDT Yearn vaults is limited to approximately $1.38M through Idle and Angle integrations.","source":"CryptoNewsZ","source_url":"https://www.cryptonewsz.com/protocols-report-exposure-to-the-197m-usd-euler-finance-hack/"},{"date":"2023-04-03","event":"Euler Finance announces all recoverable funds from the March 13 hack have been returned by the exploiter, resolving indirect exposure risk for Alchemix and other affected protocols.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/04/03/euler-says-all-recoverable-funds-stolen-in-200m-hack-have-been-returned"},{"date":"2023-07-30","event":"Curve Finance liquidity pools exploited via a Vyper compiler vulnerability (versions 0.2.15–0.3.0). Alchemix's alETH–ETH pool loses 4,821 alETH and 7,258 ETH (~$20M). Alchemix pre-emptively removes 8,027 alETH before pool is fully drained.","source":"Alchemix Finance Medium","source_url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"date":"2023-08-03","event":"Alchemix, Curve, and Metronome jointly offer the Curve exploiter a 10% recovery bounty to return stolen funds.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2023/08/04/looter-behind-61m-curve-hack-starts-returning-assets-raising-hope-for-recovery"},{"date":"2023-08-05","event":"All funds stolen from Alchemix's alETH–ETH Curve pool are returned by the exploiter following the bounty offer.","source":"Alchemix Finance Medium","source_url":"https://alchemixfi.medium.com/curve-exploit-post-mortem-7142e78bc339"},{"date":"2023-09-23","event":"Security researcher Koiush submits a high-severity access control vulnerability in AlchemixHarvester to Immunefi; the bug could have enabled sandwich attacks on yield harvesting. Patched with no user fund impact; 1,000 ALCX bounty paid.","source":"Immunefi","source_url":"https://immunefi.com/blog/bug-fix-reviews/alchemix-access-control-issue-bugfix-review/"},{"date":"2025-06-30","event":"Alchemix reports Q2 2025 TVL of $45.35M (up 12.9% quarter-over-quarter), with protocol revenue of ~$780K and full operational continuity. V3 audit competition underway via Cantina.","source":"Alchemix Finance Medium","source_url":"https://alchemixfi.medium.com/alchemix-q2-2025-report-summary-d31ec98cc4a9"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4ca5e556-e331-4589-a3f0-8ae9c0d6b641copy