Skip to main content
Sign in
Alpha Finance Lab1 decision on this page

Audit log

Every state-changing event for Alpha Finance Lab: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-31 06:58:45Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,324,437
    sig
    31CVqadJZvxa…WtAswpTUexplorer ↗
    hash
    bZgmDj1cvWaN…EJcCUayWsha256 → base58
    verifying row…full verify ↗
    canonical bytes (19049 B) ▸
    {"actor":"system:backfill","investigation_id":"4873aec7-c217-4bcd-a565-53a599ce3145","kind":"publish","page_slug":"alpha-finance-lab","published_at":"2026-05-31T06:58:45.352Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Alpha Finance Lab","sections":[{"content":"On February 13, 2021 at approximately 05:37 UTC, an attacker executed a series of nine to thirteen coordinated transactions against Alpha Homora V2, extracting roughly $37.5 million in crypto assets. The attack was carried out through a combination of flash loans, a custom malicious 'spell' contract, and exploitation of undisclosed vulnerabilities in HomoraBankV2. Stolen assets included approximately 13,244.63 WETH, 4,263,138.93 DAI, 4,424,596.54 USDC, and 5,647,242.11 USDT. Proceeds were dispersed through Tornado Cash and Curve's Aave pool to obscure the trail. The attacker also sent 1,000 ETH each to the Cream Finance and Alpha Finance deployer addresses, an unusual act that some analysts interpreted as a taunting gesture.","heading":"February 2021 Exploit: Overview","severity":"critical","sources":[{"credibility":1,"name":"Alpha Homora V2 Post Mortem — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-homora-v2-post-mortem/"},{"credibility":1,"name":"DeFi Protocols Cream Finance, Alpha Exploited in Flash Loan Attack; $37.5M Lost — CoinDesk","type":"news","url":"https://www.coindesk.com/markets/2021/02/13/defi-protocols-cream-finance-alpha-exploited-in-flash-loan-attack-375m-lost"},{"credibility":2,"name":"Alpha Finance Exploited in $37.5 Million Attack — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/alpha-finance-suffers-37-5-million-loss-major-attack/"}]},{"content":"Three distinct vulnerabilities in HomoraBankV2 were chained together to execute the attack. First, the contract contained an undisclosed sUSD lending pool that had no liquidity and was not accessible through the user interface — its existence had not been publicly announced, as it was prepared for a future release. Because the attacker was the sole borrower in this pool, a rounding error in the borrow function produced a debt share mismatch: when repaying 1,000 sUSD plus interest, the attacker could pay back one wei less than owed, leaving the protocol's totalDebt inflated while totalDebtShare remained at 1. Second, the resolveReserve function — intended for fee collection — lacked access controls, allowing any caller to invoke it and increase totalDebt without a corresponding increase in totalDebtShare. Third, the protocol permitted the use of arbitrary custom 'spell' contracts (analogous to Yearn strategies) so long as collateral exceeded borrowing. The attacker deployed a malicious spell at address 0x560a8e3b79d23b0a525e15c6f3486c6a293ddad2. By iterating the rounding exploit across more than 26 doubling cycles, the attacker accumulated massive cySUSD collateral worth effectively zero debt in protocol accounting. This collateral was then used to borrow ETH, DAI, USDC, and USDT from Iron Bank. Flash loans of approximately $1.8 million and $10 million USDC from Aave were used to maintain sufficient liquidity across the exploit chain.","heading":"Technical Vulnerabilities and Attack Mechanics","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Alpha Homora DeFi Hack (Feb 2021) — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-alpha-homora-defi-hack-feb-2021"},{"credibility":2,"name":"SlowMist: An Analysis of the Attack on Alpha Finance & Cream Exploit — SlowMist / Medium","type":"news","url":"https://slowmist.medium.com/slowmist-an-analysis-of-the-attack-on-alpha-finance-cream-exploit-723c536c36b8"},{"credibility":2,"name":"Alpha Finance — REKT","type":"news","url":"https://rekt.news/alpha-finance-rekt"}]},{"content":"Security researchers and the Alpha Finance team itself noted that executing the attack required knowledge that was not publicly available. The sUSD pool existed only at the contract level and was not exposed through the UI, making it unlikely to have been discovered by routine contract review. The Alpha Finance post mortem stated the attack setup was 'absolutely insane' and suggested it could not have been found by someone casually inspecting the contracts. Alpha Finance announced it had 'a prime suspect already' within hours of the exploit and stated it would work with authorities, but no public identification of the attacker or prosecution was subsequently announced. The narrow pool of individuals with knowledge of the unreleased sUSD pool included personnel at Alpha Finance, Cream Finance, partnered protocols such as Yearn Finance, and associated audit firms.","heading":"Alleged Insider Knowledge","severity":"high","sources":[{"credibility":2,"name":"Alpha Finance — REKT","type":"news","url":"https://rekt.news/alpha-finance-rekt"},{"credibility":3,"name":"Review of the $37.5 million theft of Alpha Finance — Nodesblock","type":"news","url":"https://nodesblock.com/news/review-of-the-37-5-million-theft-of-alpha-finance-hackers-have-inside-information/"},{"credibility":1,"name":"DeFi Protocols Cream Finance, Alpha Exploited in Flash Loan Attack; $37.5M Lost — CoinDesk","type":"news","url":"https://www.coindesk.com/markets/2021/02/13/defi-protocols-cream-finance-alpha-exploited-in-flash-loan-attack-375m-lost"}]},{"content":"The exploit did not create a direct debt between Alpha Homora V2 and its users; rather, the debt was between Alpha Homora V2 and Cream Finance's Iron Bank lending platform, from which the attacker had borrowed. Iron Bank recorded losses of approximately $32.4 million. In spring 2021, Alpha Finance and Cream Finance agreed on a repayment plan: Alpha would contribute 20 percent of its monthly protocol reserve fees toward debt reduction, and 50 million ALPHA tokens would be locked in escrow as collateral representing a 2x ratio against the outstanding balance. Interest on the debt was halted by upgrading the relevant Cream V2 contract. The two deployer-address ETH deposits (1,000 ETH each) from the attacker were applied immediately toward the debt. By early 2023, only approximately $500,000 had been repaid against the original $32.4 million, leaving roughly $31.9 million outstanding. In late February 2023, Iron Bank unilaterally froze Alpha Homora depositor liquidity — a move described by Alpha as taken without notice — and issued ultimatums demanding accelerated repayment. Alpha Homora published a series of ten open letters to Iron Bank and its community, proposing various resolution structures, all of which Iron Bank rejected. After approximately 2.5 months of failed negotiations, Alpha Homora depositors voted to cease talks with Iron Bank, accept a goodwill compensation fund from Alpha, and pursue legal action against Iron Bank.","heading":"Iron Bank Debt and Inter-Protocol Dispute","severity":"critical","sources":[{"credibility":1,"name":"Joint Announcement on Funds Repayment — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/joint-announcement-on-funds-repayment/"},{"credibility":1,"name":"Iron Bank and Alpha Homora Conflict Summarized — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/iron-bank-and-alpha-homora-conflict-summarized/"},{"credibility":2,"name":"Iron Bank vs Alpha Homora — Rekt News","type":"news","url":"https://rekt.news/iron-alpha"},{"credibility":2,"name":"As DeFi partners clash over $32m in bad debt, depositors could lose everything — DL News","type":"news","url":"https://www.dlnews.com/articles/defi/defi-partners-clash-over-32m-bad-debt-iron-bank-alpha-homora/"}]},{"content":"In May 2023, Alpha Venture DAO established a goodwill fund for Alpha Homora depositors whose funds had been frozen by Iron Bank. The fund comprised 30 million ALPHA tokens distributed over 18 months, vesting on the 17th of each month beginning May 17, 2023, plus 50 percent of Alpha Homora protocol fees distributed to depositors over the same period. Allocations were calculated proportionally based on each depositor's share of the total frozen funds at a snapshot taken on May 11, 2023 at 14:00 UTC. Alpha simultaneously encouraged affected depositors to pursue legal remedies against Iron Bank for the frozen funds. The goodwill fund represented a partial, protocol-funded mitigation rather than full restitution of the original exploit losses, as the $32.4 million in bad debt remained substantially unpaid.","heading":"Goodwill Fund and Depositor Compensation","severity":"high","sources":[{"credibility":1,"name":"Tenth Open Letter: Goodwill Fund — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/tenth-open-letter-goodwill-fund/"},{"credibility":1,"name":"Alpha Homora Goodwill Fund — Alpha Venture DAO","type":"official","url":"https://homora-v2.alphaventuredao.io/goodwill-fund"}]},{"content":"Following the February 2021 exploit, Alpha Finance immediately paused new borrowing on Alpha Homora V2 while maintaining lending and repayment capabilities. The team patched the three root-cause vulnerabilities: the custom spell allowance was replaced by a whitelist of approved spells; supported tokens were restricted to ETH, DAI, USDC, and USDT; and the resolveReserve function was access-controlled. Alpha subsequently commissioned a third security audit by OpenZeppelin, conducted on top of prior audits by Quantstamp and PeckShield. Peer reviews were performed by researchers including samczsun and Sorawit. The protocol relaunched Alpha Homora V2 with these changes in April 2021, adding new leveraged pools and lending assets alongside enhanced internal monitoring and a bug bounty program. The relaunch was accompanied by a temporary recovery in the ALPHA token price and total value locked (TVL).","heading":"Post-Exploit Security Improvements and Relaunch","severity":"medium","sources":[{"credibility":2,"name":"Alpha Finance Lab gets its yield farming protocol audited by OpenZeppelin — CryptoNinjas","type":"news","url":"https://www.cryptoninjas.net/2021/04/09/alpha-finance-labs-gets-its-yield-farming-protocol-audited-by-openzeppelin/"},{"credibility":1,"name":"Alpha Homora V2 Has Been Audited By OpenZeppelin — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-homora-v2-has-been-audited-by-openzeppelin/"},{"credibility":3,"name":"Alpha Homora defies market slump, bolsters TVL and token price on v2 relaunch — CryptoNews","type":"news","url":"https://cryptonews.net/news/altcoins/645056/"}]},{"content":"In March 2022, Alpha Finance Lab rebranded to Alpha Venture DAO, repositioning from a DeFi product studio to a decentralized autonomous organization focused on Web3 application incubation and ownership. The organization is led by co-founder and project lead Tascha Punyaneramitdee, previously Head of Strategy at Band Protocol, and co-founder Nipun Pitimanaaree. The organization is headquartered in Bangkok, Thailand. The rebrand did not resolve the outstanding Iron Bank debt obligations, which continued to be disclosed in Alpha's communications through at least 2023.","heading":"Rebrand to Alpha Venture DAO","severity":"low","sources":[{"credibility":1,"name":"Alpha Finance Lab Rebrands & Expands Into Alpha Venture DAO — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-finance-lab-rebrands-expands-into-alpha-venture-dao-to-disrupt-web3-ecosystem/"},{"credibility":2,"name":"Alpha Finance Lab rebrands to Alpha Venture DAO — Invezz","type":"news","url":"https://invezz.com/news/2022/03/31/alpha-finance-lab-rebrands-to-alpha-venture-dao-to-support-decentralised-web3-innovation/"}]}],"sources_used":[{"name":"Alpha Homora V2 Post Mortem — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-homora-v2-post-mortem/"},{"name":"DeFi Protocols Cream Finance, Alpha Exploited in Flash Loan Attack; $37.5M Lost — CoinDesk","type":"news","url":"https://www.coindesk.com/markets/2021/02/13/defi-protocols-cream-finance-alpha-exploited-in-flash-loan-attack-375m-lost"},{"name":"Alpha Homora V2 Exploit Post Mortem — C.R.E.A.M. Finance / Medium","type":"official","url":"https://medium.com/cream-finance/alpha-homora-v2-exploit-post-mortem-344d277bdea6"},{"name":"Explained: The Alpha Homora DeFi Hack (Feb 2021) — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-alpha-homora-defi-hack-feb-2021"},{"name":"SlowMist: An Analysis of the Attack on Alpha Finance & Cream Exploit — Medium","type":"news","url":"https://slowmist.medium.com/slowmist-an-analysis-of-the-attack-on-alpha-finance-cream-exploit-723c536c36b8"},{"name":"Alpha Finance — REKT","type":"news","url":"https://rekt.news/alpha-finance-rekt"},{"name":"Iron Bank vs Alpha Homora — Rekt News","type":"news","url":"https://rekt.news/iron-alpha"},{"name":"Joint Announcement on Funds Repayment — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/joint-announcement-on-funds-repayment/"},{"name":"Iron Bank and Alpha Homora Conflict Summarized — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/iron-bank-and-alpha-homora-conflict-summarized/"},{"name":"Tenth Open Letter: Goodwill Fund — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/tenth-open-letter-goodwill-fund/"},{"name":"Alpha Finance Lab Rebrands & Expands Into Alpha Venture DAO — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-finance-lab-rebrands-expands-into-alpha-venture-dao-to-disrupt-web3-ecosystem/"},{"name":"Alpha Finance Exploited in $37.5 Million Attack — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/alpha-finance-suffers-37-5-million-loss-major-attack/"},{"name":"Alpha Homora loses $37 million following Iron Bank exploit — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/alpha-homora-loses-37-million-following-iron-bank-exploit"},{"name":"Alpha Homora V2 Has Been Audited By OpenZeppelin — Alpha Venture DAO Blog","type":"official","url":"https://blog.alphaventuredao.io/alpha-homora-v2-has-been-audited-by-openzeppelin/"},{"name":"As DeFi partners clash over $32m in bad debt, depositors could lose everything — DL News","type":"news","url":"https://www.dlnews.com/articles/defi/defi-partners-clash-over-32m-bad-debt-iron-bank-alpha-homora/"}],"summary":"Alpha Finance Lab, now rebranded as Alpha Venture DAO, is a DeFi protocol suite founded in 2020 and best known for Alpha Homora, a leveraged yield farming platform. On February 13, 2021, Alpha Homora V2 suffered one of the most technically complex exploits in DeFi history, losing approximately $37.5 million through a multi-step flash loan attack that exploited a rounding error and an undisclosed sUSD pool. The exploit triggered a prolonged inter-protocol dispute with Iron Bank (Cream Finance) over $32.4 million in bad debt that remained only partially resolved as of 2023.","timeline":[{"date":"2020-10-01","event":"Alpha Finance Lab founded; ALPHA token launched on Binance Launchpad.","source":"Alpha Venture DAO — Crunchbase","source_url":"https://www.crunchbase.com/organization/alpha-finance-lab"},{"date":"2021-01-01","event":"Alpha Homora V2 launched on Ethereum mainnet, integrating with Cream Finance's Iron Bank for protocol-to-protocol lending.","source":"Alpha Homora V2 Post Mortem — Alpha Venture DAO Blog","source_url":"https://blog.alphaventuredao.io/alpha-homora-v2-post-mortem/"},{"date":"2021-02-13","event":"Alpha Homora V2 exploited via flash loan attack exploiting rounding error, undisclosed sUSD pool, and unrestricted custom spell contracts. Approximately $37.5 million drained. Funds routed to Tornado Cash.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2021/02/13/defi-protocols-cream-finance-alpha-exploited-in-flash-loan-attack-375m-lost"},{"date":"2021-02-13","event":"Alpha Finance suspends new borrowing and patches vulnerabilities. Team announces it has a 'prime suspect' and will work with authorities. No public identification of attacker follows.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/alpha-finance-suffers-37-5-million-loss-major-attack/"},{"date":"2021-02-18","event":"Alpha Finance Lab publishes detailed post mortem confirming rounding error, hidden sUSD pool, and custom spell vulnerability as root causes.","source":"Alpha Venture DAO Blog","source_url":"https://blog.alphaventuredao.io/alpha-homora-v2-post-mortem/"},{"date":"2021-03-01","event":"Joint repayment agreement announced between Alpha Finance and Cream Finance: 50 million ALPHA tokens locked as 2x collateral, 20% of monthly protocol fees directed to debt repayment, Iron Bank debt interest halted.","source":"Alpha Venture DAO Blog","source_url":"https://blog.alphaventuredao.io/joint-announcement-on-funds-repayment/"},{"date":"2021-04-09","event":"OpenZeppelin completes third security audit of Alpha Homora V2, building on prior audits by Quantstamp and PeckShield.","source":"CryptoNinjas","source_url":"https://www.cryptoninjas.net/2021/04/09/alpha-finance-labs-gets-its-yield-farming-protocol-audited-by-openzeppelin/"},{"date":"2021-04-21","event":"Alpha Homora V2 relaunches with whitelisted spells, restricted token support, and patched access controls.","source":"Finance and Freedom","source_url":"https://financeandfreedom.org/2021/04/21/upcoming-alpha-homora-v2-relaunch-what-is-included/"},{"date":"2022-03-31","event":"Alpha Finance Lab rebrands to Alpha Venture DAO, shifting focus from DeFi products to Web3 incubation.","source":"Invezz","source_url":"https://invezz.com/news/2022/03/31/alpha-finance-lab-rebrands-to-alpha-venture-dao-to-support-decentralised-web3-innovation/"},{"date":"2023-02-01","event":"Iron Bank unilaterally freezes Alpha Homora depositor liquidity without notice, demanding accelerated repayment of the approximately $31.9 million remaining bad debt.","source":"Rekt News","source_url":"https://rekt.news/iron-alpha"},{"date":"2023-03-06","event":"Alpha Homora has published multiple open letters to Iron Bank; Iron Bank rejects all proposed resolution structures. Rekt News publishes analysis of the dispute.","source":"Rekt News","source_url":"https://rekt.news/iron-alpha"},{"date":"2023-05-11","event":"Alpha Homora depositors vote to cease negotiations with Iron Bank, accept Alpha's goodwill fund, and pursue legal action against Iron Bank.","source":"Iron Bank and Alpha Homora Conflict Summarized — Alpha Venture DAO Blog","source_url":"https://blog.alphaventuredao.io/iron-bank-and-alpha-homora-conflict-summarized/"},{"date":"2023-05-17","event":"Alpha Venture DAO begins distributing goodwill fund: 30 million ALPHA tokens plus 50% of protocol fees, vesting monthly over 18 months to affected depositors.","source":"Tenth Open Letter: Goodwill Fund — Alpha Venture DAO Blog","source_url":"https://blog.alphaventuredao.io/tenth-open-letter-goodwill-fund/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision d5a1ee9d-6b55-4988-9483-31211767ab04
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.