'Free Money' Bug Hits DeFi Platform Alchemix

The bug resulted in roughly 2,000 ETH (or $4.8 million at today's prices) being returned to borrowers prematurely.

AccessTimeIconJun 16, 2021 at 6:12 p.m. UTC
Updated Sep 14, 2021 at 1:12 p.m. UTC

Decentralized finance (DeFi) protocol Alchemix has resolved a bug that seemingly forgave borrowers’ loans prematurely, essentially giving them free money.

One DeFi observer on Twitter called it a “reverse rug pull,” referring to the crypto slang for when project founders abscond with user funds.

For an unknown amount of time, Alchemix borrowers could deposit ETH, get the project's alETH token in return and then withdraw the ETH used to secure their loans without having to pay them back.

"I was successfully able to borrow alETH, and take my collateral," user ptp1600 said in the Alchemix Discord server.

The issue seemingly affected the alETH pool, which was launched yesterday.

The Alchemix team said it’s investigating the issue and will publish a postmortem shortly. In the meantime, “the alETH contract has been paused and will remain so until our solution is implemented,” the project tweeted.

Alchemix co-founder Scoopy Trooples did not return a request for comment when initially contacted.


Alchemix published a postmortem of the snafu at 3:29 p.m. ET. No user funds were lost, rather users were able to withdraw ETH they should not have. 

The bug started around midnight UTC, when users discovered they had “no outstanding debt even though they previously borrowed alETH at a 4:1 collateral ratio,” project admin n4n0 wrote.

It took about 15 minutes for Alchemix to halt the minting of alETH once the team started looking into the issue, n4n0 said.

The root cause: “the alETH vault accidentally created additional vaults,” the incident report notes.

The post concludes with an ask:

“If you would like to support the protocol, the DAO, and the devs, please consider distributing any excess ETH gained during this time to the new Transmuter, to allow it to back the outstanding loans that it created (and you are likely still holding). A portal will be created in the next few days to facilitate this. This will go a long way towards correcting the alETH shortfall and will impact DAO’s treasury much less.”

Alchemix’s native token, ALCX, is down 21.5% since the bug was first noticed, according to CoinGecko.

Brady Dale contributed reporting.

UPDATE (June 17, 1:51 UTC): Adds information from Alchemix's incident report.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about